This content has been marked as final. Show 4 replies
You are correct root update package is intended for XP only and can be applied to 2003, with known issue. We will remove other affected products in the next XML release.
OK, thanks for the update.
Also, it seems I was not right in thinking that the Automatic Root Certificates Updates would periodically download all of the root certificates in a manner analagous to manually applying the latest KB931125 hotfix. Instead, it seems that whenever Windows encounters a cert that it doesn't trust, it will check Windows Update for the relevant Root Cert and download it if it finds it. I am not sure how certificates get revoked in this scenario (e.g., DigiNotar). I guess it does periodically check with Windows Update for this scenario, but I haven't seen it documented that way.
This should now be corrected as of our data file release on February 28, as follows:
Modified MSRC-001(Q931125): Removed Windows Vista, 2008, Windows 7 as affected products.
It was discovered that there are customers that run Windows Vista and later on disconnected environment and according to the KB article: http://support.microsoft.com/kb/931125
under: Root Update Package Installation on Disconnected Environments
"The root update package will install on Windows Vista and Windows 7 as a workaround in disconnected environments"
We are working on adding back MSRC deployment to these OS but in another BulletinID: MSRC-002.
Since there is no way for us to detect if an OS is in a disconnected environment, as a workaround, there will be a check to see if a specific Cert is already installed, if so patch will not be offered.