Verify KB2916652 on Windows 2012


  • Hi,

    So, I have been a Windows 7 user and have just migrated to Windows 2012 couple of months ago. I'm currently trying to install ( on 4 machines I have in my home network.

    With Windows 7, you could just look at HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates and see which ones have been disallowed. But, with none of these machines this is true. Nor does the "Installed Updates" show this KB. I also checked %APPDATA%\Microsoft\SystemCertificates\My\Certificates to see if this has been updated or not, found that it hasn't.

    Not that this is important, but I wanted to know where does a Windows 2012 machine store the disabled CTL?

    - M.

    Why do you click on start to exit Microsoft Windows?

    • Edited by Metahuman Monday, January 20, 2014 8:14 AM Edited the title
    Monday, January 20, 2014 8:11 AM

All replies

  • Hi,

    Thanks for your posting.

    Please check this article:

    An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows


    Vivian Wang

    • Marked as answer by Vivian_WangModerator Tuesday, January 28, 2014 11:08 AM
    • Unmarked as answer by Metahuman Thursday, February 27, 2014 10:14 AM
    Tuesday, January 21, 2014 8:16 AM
  • Hi Vivian,

    I was away on a vacation and hence I could not reply earlier. Thanks for your answer too!

    I read KB2813430, but this does not answer my question. How do I manually verify if was installed on my system or not?

    I think I read somewhere that Windows 2008 onwards does not add to the HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates registry key nor does it update %APPDATA%\Microsoft\SystemCertificates\My\Certificates.

    If CAPI2 logging is disabled, reading the eventlog wont help either. Is there a particular setting I can check for?



    Why do you click on start to exit Microsoft Windows?

    Thursday, February 27, 2014 10:14 AM
  • Hi Metahuma,

    did you investigate further? I have the issue that the CRL were "updated", so shown in eventvwr for applications - event ID 4112, but the certificates are still not imported.

    How do I force the machines to poll the CRL (again)?

    Wednesday, July 23, 2014 3:05 PM