Solved: WindowsUpdate - Root Certificates

Jake Rounkles · ‎11-05-2013

We currently receive thousands of events in each workstation's event viewer because we are blocking file downloads for our end users. We would like to add a Policy to allow the following files to be downloaded from Microsoft to ensure the Root Certificate downloads are being allowed:

www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt

ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Without allowing everything to windowsupdate.com; how we would allow the specific files to be downloaded? If I add the domain to our Whitelist then the Regular Expressions field gets bypassed (unless I am misinterpreting something).

Vance Kwan · ‎11-05-2013

Hi Jake,

You may add those URLs into the Regular Expressions field without having to add the domain into the whitelist. Just remember the WSA generally looks from the top-to-bottom. If you add windowsupdate.com to the whitelist AND have a Regular Expression, the whitelist will take effect since it is above the Regular Expression.

-Vance

View solution in original post

Vance Kwan · ‎11-05-2013

Hi Jake,

You may add those URLs into the Regular Expressions field without having to add the domain into the whitelist. Just remember the WSA generally looks from the top-to-bottom. If you add windowsupdate.com to the whitelist AND have a Regular Expression, the whitelist will take effect since it is above the Regular Expression.

-Vance