forums.wsusoffline.net

I started WSUSOffline 8.4 downloader and it told me my root certs were outdated. I checked and my Windows 7 x64 computer is up-to-date so I don't know why I'm seeing that message. The exact message was:

Your list of Trusted Root Certificates is outdated. Would you like to update it now?

I chose yes, and then I was given a UAC for "Windows Root Certificate Update December 2012". What's going on here? Should I be seeing that? My computer is up to date.

Thanks

Yes. Usually Windows keeps its trusted certificate list current, but sometimes that mechanism can fail. Trusted cert updates are not listed in Windows Update/Microsoft Update.

If you deny that update WSUSOU will not work right. All downloaded MS files will have their signatures checked, and that check needs the root certs.

boco wrote:Yes. Usually Windows keeps its trusted certificate list current, but sometimes that mechanism can fail. Trusted cert updates are not listed in Windows Update/Microsoft Update.

I'm very surprised. Do a lot of people report this issue or is it just me?

A few have, thus the community opted for this change. If you let it update the certs you eliminate a potential error condition, where the system deletes the catalog file right after download, because the signature check fails (due to missing root certificate).

According to some M$ sites the trusted certificate list is updated once you encounter a site with an unknown certificate. This may not work from the command prompt which WOU uses.
To prevent issues with file deletions because of outdated signatures this new signature update mechanism was introduced with version 8.4
It's somewhat strange to see a message about a 12/2012 update, the most recent file should be from April/May 2013 (but the message may have come from the revoked signature updates which is from this timeframe).
It's a problem on XP as these updates are listed as optional, I have not seen them installed via autoupdates either.

Yep, on Windows Vista, 7 and 8 I have never seen that update listed at all. MS admitted that in some cases the automatic retrieval doesn't work and thus the rvkroots update works for these OS, too, despite being designated for XP.

When those certificates are updated, is your RDP connection being killed? The first time I started the updates download, I was disconnected from the host, and when I reconnected all open windows were closed as if the explorer task bar had crashed. Kinda creepy, and now I don't know if there's a virus.

You can test that after the download completed, just manually install .\client\win\glb\rootsupd.exe. If the RDP is killed again, it is caused by the root certificates.

Could be that update restarts (a) service(s) to reload the new certs.