Yeah, I noticed that it isn’t an actual patch or update after I sent the email. Maybe this key is updated, but it isn’t inventoried by default so still no help:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\CertificateTemplateCache\CTLSigning probably a dcm or posh script deploy like Sherry mentioned. From: [email protected] [mailto:[email protected]] On Behalf Of Gushue, William Sent: Wednesday, September 30, 2015 1:07 PM To: [email protected] Subject: RE: [mssms] Querying for KB3097966 and Untrusted Certificates Not there. I don’t think there is a specific update for Windows 8.1. Supposed to be handled automatically (i.e., no Windows Update download), but I am wondering how to query all systems to see if the automatic is working. Thanks, Matthew. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kelley, Matthew Sent: Wednesday, September 30, 2015 12:54 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Querying for KB3097966 and Untrusted Certificates Is it in qfe? gwmi win32_quickfixengineering -Filter "hotfixid like '3097966'" if it is, then maybe this report: [cid:[email protected]] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Gushue, William Sent: Wednesday, September 30, 2015 12:43 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Querying for KB3097966 and Untrusted Certificates I guess the next problem is finding those that did not run it. Compare the results with the collection I suppose. Thanks. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Sherry Kissinger Sent: Wednesday, September 30, 2015 12:03 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Querying for KB3097966 and Untrusted Certificates According to the article you reference: "for Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10 systems, you can check the Application log in the Event Viewer for an entry with the following values: * Source: CAPI2 * Level: Information * Event ID: 4112 * Description: Successful auto update of disallowed certificate list with effective date: Thursday, September 24, 2015 (or later). " So it sounds like some EventLog parsing is in your future... Might be able to POSH that, look at application log for eventID 4112/Source CAPI2, and see what you get. On Wednesday, September 30, 2015 10:42 AM, "Gushue, William" <[email protected]<mailto:[email protected]>> wrote: Is there a way to query systems to ensure this update has been applied? https://technet.microsoft.com/library/security/3097966 I see other versions in SCCM (2813430, for example – no 3097966 though), but Windows 8.1 is supposed to be using an automatic updates of revoked certificates. I have checked the folder in the Certificates mmc, but the list is not there, which indicates it has not run. Even so, I would like to query all systems. Thanks. ________________________________ ******************************************************************** This e-mail message is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited. Le contenu du présent courriel est privilégié, confidentiel et soumis à des droits d'auteur. Il est interdit de l'utiliser ou de le divulguer sans autorisation. ******************************************************************** ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
