The Security Advisory states that Windows 8.1 and Server 2012 (both of which we use exclusively), update certs automatically.  However, how do I verify that?

The MCSHOLDING TEST CNNIC ROOT revocation doesn't appear anywhere in when viewing the Certificate stores in the MMC.

Hope someone can shed light on this; just assuming "it works" isn't really a security solution :-0

Thanks,

George

Hi GFYA,
The main issue is to verify whether the certificate store has been updated,right?
We can check the Event ID :4112 from the Event Viewer.
Event Viewer \Windows Logs\Application filter this Event ID
If the certificate has been updated,we will get an event like this :
Source: CAPI2
Level: Information
Event ID: 4112
Description: Successful auto update of disallowed certificate list with effective date: Monday, March 23, 2015 (or later).

Here is a link for referece(Pay attention to "After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store? " part):
Microsoft Security Advisory 3050995
https://technet.microsoft.com/en-us/library/security/3050995.aspx?f=255&MSPPError=-2147217396

Best regards

Hi MeipoXu,

The CAPI2 operational event log is disabled by default, and I recently enabled it with PowerShell.  So now I have a bunch of events, but none are 4112.  If an update occurred before I turned it on, that's not going to appear.

So, I'll have to check regularly, drag.  Meanwhile, can it be determined via any of the MMC snap-ins or any other means?

Kind Regards

G

Hi GFYA,

"can it be determined via any of the MMC snap-ins or any other means?"

Yes,we can check it from the MMC snap-in.

"In the Certificates MMC snap-in, verify that the following certificate has been added to the Untrusted Certificates folder:

Certificate	Issued by	Thumbprint
MCSHOLDING TEST	CNNIC ROOT	e1 f3 59 1e 76 98 65 c4 e4 47 ac c3 7e af c9 e2 bf e4 c5 76"

Please check the link as I posted before.

Best regards

Hi MeipoXu,

In the Untrusted Certificates there's nothing, in the subfolder Certificate Trust list below Untrusted Certificates there's just "[not available] with a 2012 date stamp.  Checked Computer and User stores.

So, seems like it hasn't updated.

And of course I read that link, that's the subject of this thread and what triggered it. :)

So, if it isn't updating (checked 3 Win 8.1 64-bit and one Server 2012 R2 Essentials - all fully updated - what doe that imply and how can it be corrected.

Many thanks

Hi GFYA,

We can try to run "wusa /uninstall /KB:3050995" to verify whether this update has been installed.I suspect this update has not been installed so the certificate store won`t be updated.

If it is not installed,we can try to manually install it to have a check.

Best regards

No its not installed because it's for Windows 7.  KB article for KB3050995 says:

Update for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2

Because these systems are automatically protected, no action is needed.

So, nope.  This isn't the case.  And the other links there that do refer to Windows 8.1/Server 2012 are for updates for disconnected environments, so that doesn't apply.

Hi MeipoXu,

The CAPI2 operational event log is disabled by default, and I recently enabled it with PowerShell.  So now I have a bunch of events, but none are 4112.  If an update occurred before I turned it on, that's not going to appear.

So, I'll have to check regularly, drag.  Meanwhile, can it be determined via any of the MMC snap-ins or any other means?

Kind Regards

G

You may have misread the instructions.

Event 4112 appears in the main Windows Application event log.  I just looked in mine (on Win 8.1) and see two such events, one logged March 17, 2015, and another on March 24, 2015.

Like you, what I don't see is any human-readable evidence of "MCSHOLDING..." anywhere under the "Untrusted Certificates" heading.  There is a [ not available ] Certificate Trust List shown, containing a bunch of entries issued to "Not available" with thumb print hex values none of which start with "e1".

Noel,

Thanks for your comment, good catch on the log file and I had looked for it in the Trust List like you with no success.

Most of our machines had their event logs cleared out recently due to wonky software that flooded them with errors bloating them to massive size.  Found a laptop that hadn't had that software and lo, yes that 4412 entry was there.

So basically, it's really aptly named "Trust List" since I guess we have to trust these things really are updated.

If upvotes applied here, definitely +1.  I could mark this as answer, but perhaps someone else may have figured out something else to actually ensure that these certs are being properly updated and not leaving it to trust.  Basically I like "trust but verify" for the important stuff.

Kind Regards,

George 

You're welcome, George.

No, mine's not an answer, just supporting info - especially since we still can't directly verify whether the exclusion is actually in place.

>"trust but verify"

Microsoft is moving into an era where they expect unprecedented trust in their Windows Update system, and are providing us less information to describe the technical nature of the updates. 

Basically, more "trust" and less "verify".

In this particular case, no specific file change information is provided in the KB article, as can be seen in many (and possibly with good reason, since entries inside an existing file are purported changed).  Unfortunately even MeipoXu couldn't give a specific set of instructions to allow us to perform a successful ad hoc "verify" operation in this case.

Now, generally speaking (from the perspective of one who's run Windows since there was a Windows product, and who only ever installs an OS once on a given machine), I've always had pretty good results from keeping up with all the updates (important and optional), so their track record is pretty good.  The system HAS been getting better.  It's just that losing a little bit of control raises my concern levels.

-Noel

If upvotes applied here, definitely +1.

I'm personally not at all concerned with points, but JFYI an upvote is possible on this forum.  The little arrow to the left of the post above the number is the way.

-Noel