...the
MicrosoftRootCertificateAuthority2011.cer file is still available directly from Microsoft
see
MS support article 3149737 as that certificate file is available for download there....
Hi erpster4:
Thanks for the link to the MS support article
KB3149737 and your info about the MicrosoftRootCertificateAuthority2011.cer file.
I'm still not sure, however, exactly what has changed on Microsoft's end since
April 2020 that now triggers these 800B0109 errors ("
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider") when Windows Update tries to install update
KB4014984 (
Security and Quality Rollup for NET. Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Vista SP2 and Server 2008 SP2: April 11, 2017). That support article notes that "
this issue occurs when you operate in an environment that's disconnected from the Internet or that has a firewall that blocks content from the following URL: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en". It also states that "
this behavior occurs because of recent changes to Microsoft Windows Enforcement of Authenticode Code Signing and Timestamping", which describes the risk of downloading software signed exclusively with a SHA-1 certificate.
Problems with strict enforcement of SHA-2 signing for newly released Microsoft updates first appeared on my Vista SP2 machine back in
October 2019 (see my post # 17 in VIstauser324's thread
Windows Defender Definition Updates) so SHA-1 vs SHA-2 signing probably isn't the whole story. Perhaps it's because .NET Framework v4.x is an optional update and the
Microsoft Update Catalog now shows that
KB4014984 has been replaced by the Windows Server 2008 update KB4041086 (released Sept 2017) in the supercedence chain.
I also suspect Microsoft has gone back and either re-issued some Vista SP2 updates released on or before 11-Apr-2017 or altered the metadata. For example, Bob's My Uncle recently pointed out to me <
here> that the
32-bit Vista version of KB4015195 (
Security update for the Win32k information disclosure and escalation of privilege vulnerabilities in Windows Vista and Windows Server 2008: April 11, 2017), which
used to have a Last Updated date of 08-Apr-2017 as shown in this old image I captured in April 2017 ....
...
has now disappeared from the Microsoft Update Catalog, and the Last Updated date of the remaining 64-bit version has changed to
30-May-2017.
---------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1-1.0.365 * MS Office Professional 2003 SP3
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, 256 GB Western Digital SATA HDD, NVIDIA GeForce 8400M GS