Windows Server 2008
(This wiki page is part of a pilot program to remove topics such as this one from the TechNet and MSDN libraries and move them to the wiki.)
The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an
application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site
to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.
The Automatic Root Certificates Update component downloads a cabinet (.cab) file to the temporary directory on the local computer, extracts the contents of the file, and then updates the root certificate list. The correct permissions must be applied to the
temporary directory in order for the cabinet file to install correctly.
To check the permissions on the temporary directory:
See KB 2328240 Event ID 4107 or Event ID 11 is logged in the Application log in Windows and in Windows Server
You can verify that the Automatic Root Certificates Update component is working properly by using a Web browser to open a Web site that requires the Automatic Root Certificates Update component. When you open this Web site, a new root certificate is downloaded
from the Microsoft Windows Update Web site. If the certificate is downloaded successfully, Event ID 1 in the Microsoft-Windows-CAPI2 event source will be written to the event log.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To verify that Event ID 1 is being written to the event log:
Automatic Root Certificates Update Configuration
Forum thread on this issue
There is normally no logged in user for Windows Server 2008 so what account is %userprofile% set to for the server?