Configure Trusted Roots and Disallowed Certificates Updated August 2. Applies To Windows 8. Windows Server 2. R2. The Windows Server 2. R2, Windows Server 2. Windows 8. 1, and Windows 8 operating systems include an automatic update mechanism that downloads certificate trust lists CTLs on a daily basis. In Windows Server 2. R2 and Windows 8. CTLs are updated. Important Software updates are available for Windows Server 2. Windows Server 2. R2, Windows Server 2. Windows 8, Windows 7, and Windows Vista. To provide the enhancements of the automatic update mechanism that are discussed in this document, apply the following updates For Windows Server 2. R2, Windows Server 2. Tip In Windows 7, you can synchronize your computer clock with an Internet time server to keep the computer clock up to date. To do this, select the date or time in. A simple fix to the windows update already installed error. As for the activation of Windows server 2008, please refer to Microsoft Activation Centers httpwww. Windows Update 0x80244035 Fix, Clean WINDOWS UPDATE 0X80244035 And Optimize PC SPEED Up Your PC FREE Scan Now Recommended. Blue Screen 21A. Error 0x80072EFD is an Activation Error now seen in Office 3 carried over from its prepredecessors, simply meaning that Office cannot be activated. Windows-10-The-Server-Stumbled-0x80072EFD-regedit-4-Windows-Wally.png' alt='Microsoft Update Error Number 0X80072efd Windows' title='Microsoft Update Error Number 0X80072efd Windows' />Windows 7, or Windows Vista, apply the appropriate update listed in document 2. Microsoft Knowledge Base. For Windows Server 2. Windows Server 2. R2, Windows Server 2. Windows 8, Windows 7, or Windows Vista, apply the appropriate update listed in document 2. Microsoft Knowledge Base. The Microsoft Root Certificate Program enables distribution of trusted root certificates within Windows operating systems. For more information about the list of members in Windows Root Certificate Program, see Windows Root Certificate Program Members List All CAs. Trusted root certificates are meant to be placed in the Trusted Root Certification Authorities certificate of the Windows operating systems. These certificates are trusted by the operating system and can be used by applications as a reference for which public key infrastructure PKI hierarchies and digital certificates that are trustworthy. When you want to distribute trusted root certificates, the list of trusted root certificates is stored in a CTL. Client computers access the Windows Update site by using the automatic update mechanism to update this CTL. Note The list of trusted root certificates is called the trusted CTL. Untrusted certificates are certificates that are publicly known to be fraudulent. Like the trusted CTL, the list of untrusted certificates is stored in a CTL. Client computers access the Windows Update site by using the automatic update mechanism to update this CTL. Prior to Windows Server 2. R2 and Windows 8. An administrator could not selectively enable or disable one or the other. This resulting in the following challenges The following improved automatic update mechanisms for a disconnected environment are available in Windows Server 2. R2 and Windows 8. Registry settings for storing CTLs New settings enable changing the location for uploading trusted or untrusted CTLs from the Windows Update site to a shared location in an organization. For more information, see the Registry settings modified section. Synchronization options If the URL for the Windows Update site is moved to a local shared folder, the local shared folder must be synchronized with the Windows Update folder. This software update adds a set of options in the Certutil tool that administrators can use to enable synchronization. For more information, see the New Certutil Options section. Tool to select trusted root certificates This software update introduces a tool for administrators who manage the set of trusted root certificates in their enterprise environment. Administrators can view and select the set of trusted root certificates, export them to a serialized certificate store, and distribute them by using Group Policy. For more information, see the New Certutil Options section in this document. Independent configurability The automatic update mechanism for trusted and untrusted certificates are independently configurable. This enables administrators to use the automatic update mechanism to download only the untrusted CTLs and manage their own list of trusted CTLs. For more information, see the Registry settings modified section in this document. In Windows Server 2. R2 and Windows 8. Microsoft CTLdisallowedcertstl. CTL with untrusted certificatesdisallowedcert. Microsoft root certificates. The steps to perform this configuration are described in the Configure a file or web server to download the CTL files section of this document. By using Windows Server 2. R2 and Windows 8. Configure Active Directory Domain Services AD DS domain member computers to use the automatic update mechanism for trusted and untrusted CTLs, without having access to the Windows Update site. This configuration is described in the Redirect the Microsoft Automatic Update URL for a disconnected environment section of this document. Configure AD DS domain member computers to independently opt in for untrusted and trusted CTL automatic updates. This configuration is described in the Redirect the Microsoft Automatic Update URL for untrusted CTLs only section of this document. Examine the set of root certificates in the Windows Root Certificate Program. This enables administrators to select a subset of certificates to distribute by using a Group Policy Object GPO. This is configuration is described in the Use a subset of the trusted CTLs section of this document. Important All the steps shown in this document require that you use an account that is a member of the local Administrators group. For all Active Directory Domain Services AD DS configuration steps, you must use an account that is a member of the Domain Admins group or that has been delegated the necessary permissions. The procedures in this document depend upon having at least one computer that is able to connect to the Internet to download CTLs from Microsoft. The computer requires HTTP TCP port 8. TCP and UDP port 5. This computer can be a domain member or a member of a workgroup. Currently all the downloaded files require approximately 1. Download Driver For Easycap Dc60 Video. MB of space. The settings described in this document are implemented by using GPOs. These settings are not automatically removed if the GPO is unlinked or removed from the AD DS domain. When implemented, these settings can be changed only by using a GPO or by modifying the registry of the affected computers. The concepts discussed in this document are independent of Windows Server Update Services WSUS. You do not have to use WSUS to implement the configuration discussed in this document. If you do use WSUS, these instructions will not affect its functionality. Implementing WSUS is not a substitute for implementing the configurations discussed in this document. To facilitate the distribution of trusted or untrusted certificates for a disconnected environment, you must first configure a file or web server to download the CTL files from the automatic update mechanism. Tip The configuration described in this section is not needed for environments where computers are able to connect to the Windows Update site directly. Computers that can connect to the Windows Update site are able to receive updated CTLs on a daily basis if they are running Windows Server 2. Windows 8, or the previously mentioned software updates are installed on supported operating systems. For more information, see document 2. Microsoft Knowledge Base. To configure a server that has access to the Internet to retrieve the CTL files. Create a shared folder on a file or web server that is able to synchronize by using the automatic update mechanism and that you want to use to store the CTL files. Tip Before you begin, you may have to adjust the shared folder permissions and NTFS folder permissions to allow the appropriate account access, especially if you are using a scheduled task with a service account. For more information on adjusting permissions see Managing Permissions for Shared Folders.