Event ID 11 — Automatic Root Certificates Update Configuration

Applies To

Windows Server 2008

(This wiki page is part of a pilot program to remove topics such as this one from the TechNet and MSDN libraries and move them to the wiki.)  

The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.

Event Details

Product:  Windows Operating System 
Event ID:  11
Source:  Microsoft-Windows-CAPI2 
Version: 6.0 
Message: Failed extract of third-party root list from auto update cab at: <%1> with error: %2. 


Check permissions on the temporary directory

The Automatic Root Certificates Update component downloads a cabinet (.cab) file to the temporary directory on the local computer, extracts the contents of the file, and then updates the root certificate list. The correct permissions must be applied to the temporary directory in order for the cabinet file to install correctly.

To check the permissions on the temporary directory:

  1. Navigate to the temporary directory on the local computer. By default, the temporary directory is located at %userprofile%\AppData\Local\Temp.
  2. Right-click the temporary directory, and then click Properties.
  3. Click the Security tab.
  4. Ensure that the user account logged on to the computer has Full Control permissions.


Clear the CryptNetURLCache folder

See KB 2328240 Event ID 4107 or Event ID 11 is logged in the Application log in Windows and in Windows Server



You can verify that the Automatic Root Certificates Update component is working properly by using a Web browser to open a Web site that requires the Automatic Root Certificates Update component. When you open this Web site, a new root certificate is downloaded from the Microsoft Windows Update Web site. If the certificate is downloaded successfully, Event ID 1 in the Microsoft-Windows-CAPI2 event source will be written to the event log.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that Event ID 1 is being written to the event log:

  1. Click Start, and then click Control Panel.
  2. Double-click Administrative Tools, and then click Event Viewer.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Expand Windows Logs, and then click Application.
  5. Look for an event with a Source named CAPI2 and an Event ID of 1.

Related Management Information

Automatic Root Certificates Update Configuration

Core Security

Forum thread on this issue