Root Certificates required for MS Certs RRS feed

  • Question

  • Hi guys! Our server estate is disconnected from the internet. As such, the server cannot auto-updated their root trust stores from MS. Whilst MS provide a option to download the MS trusted root list and distributed it internally, this distribute the entire trust list and our security team only like to selectively add root certs to the trusted root stores. As such we simply add the root certs we wish to trust to a GPO and this GPO distributes them to the servers stores.

    Now, I noticed that some patches form MS were failing on some servers as the cert used to sign the patches was not trusted. This cert lead back to a root cert that wasn't trusted. 

    So, is there a list of the specific MS root certs we need to trust in order for the patches to be trusted? 

    Tuesday, September 12, 2017 4:13 PM

All replies

  • Hello,

    We should find the certificates used for those patches by right click it and select properties:

    Please check which certificate is not trusted. 


    Yan Li

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Yan Li_ Tuesday, September 19, 2017 5:12 AM
    Wednesday, September 13, 2017 5:32 AM