Solution for KB2813430 / KB2982792 issue ( how to configure the 2008 R2 servers to allow it to download the CTLs from internal SCCM server)

Issue: our security scanner (Qualys) tool reported  'Microsoft Improperly Issued Digital Certificates Spoofing Vulnerability (KB2982792)' 'Microsoft Improperly Issued Digital Certificates Spoofing Vulnerability (KB2982792)' in all our windows 2008 R2 servers.

Constrain: Since those servers are corporate internal servers, it is not directly connected to internet.
 if it is  directly connected to internet, the windows patches would automatically get downloaded and fixed automatically.


Solution: We are using SCCM tool for our patching and followed below steps as solutions

11)      Apply the hotfix https://support.microsoft.com/en-us/kb/2813430 on clients. (You have done this step)

22)   On your SCCM server or other server which can connect to Windows Update, create a shared folder.

33)     Run this command line to synchronize a destination directory with the Windows Update site:

CertUtil -syncWithWU \\computername\sharename\DestinationDir

Note: DestinationDir is the folder that the files are copied to. When you run the command, the following files are downloaded from Windows Update:

·        *Authrootstl.cab: Contains the CTL of third-party root certificates.

·         *Disallowedcertstl.cab: Contains the CTL of disallowed certificates.

·         *Disallowedcert.sst: Contains the Disallowed certificates.

·         *Thumbprint.crt: Third-party root certificates.

44)     Configure Group policy to change registry key on all clients:

a.       Logon to DC and open GPMC.msc.

b.      Create a GPO and link to domain:

    
C.Edit this GPO and expand the items as following:

d.

 Configure registry as following:

·         HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl

This registry key configures share paths to retrieve CTLs.

5.The clients will update the registry value when they refresh the group policy.