question

N1c093-8085 avatar image
1 Vote"
N1c093-8085 asked GregRodden-9518 commented

Fresh installed Windows 7 and wsusscn2.cab doesn't work anymore

Hello,

currently we have the following problem that a fresh installed windows 7 SP 1 OS doesn't trust the signature of the newest "wsusscn2.cab" anymore. An already full patched Windows 7 client doesn't have any problem with it.

We get the following error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

I noticed, that Microsoft shutdown the SHA1 signature of the cab-file this month, so this seems to be the problem.

I already tried to install KB4474419 and KB4490628 according to this website: https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus

I think there are some more updates missing that this will work again.

I test the cab-file with this vb-script. https://docs.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline

Does anybody know a solution for this problem?

Thank you in advance :)


windows-7
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Just checking in to see if the information provided was helpful.

If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.

0 Votes 0 ·

Hi,

We have not get information from you for several days.
Any update for your issue?

If the reply is useful for you, please accept as answer.
If you have any other confuse, please reply to us directly.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

I just came across the same certificate chain complaint while trying to install Dotnet 4.8 on a fresh Windows 7 SP1 64 bit install (don't ask why i'm bothering to do this)

Windows 7 is so old now that the built-in, default certificates are out of date. Leaving you in a pickle where you cannot install normal things like Dotnet 4.8 fresh out of the box.

Using this update however, you can update the out of the box trusted root CAs (and distrust others no longer valid):
https://support.microsoft.com/en-us/topic/an-automatic-updater-of-untrusted-certificates-is-available-for-windows-vista-windows-server-2008-windows-7-and-windows-server-2008-r2-117bc163-d9e0-63ad-5a79-e61f38be8b77

Rebooted, then ran the SHA1 updates KB4474419 and KB4490628, rebooted again and was finally able to install Dotnet 4.8

0 Votes 0 ·

1 Answer

JennyFeng-MSFT avatar image
0 Votes"
JennyFeng-MSFT answered LauraDeFarnese-3712 commented

Hi,

Have you followed the following steps?

Install the image on the disk and boot into Windows.
At the command prompt, run bcdboot.exe. This copies the boot files from the Windows directory and sets up the boot environment.
Before installing any additional updates, install the September 23, 2019 re-release of KB4474419 and KB4490628 for Windows 7 SP1 and Windows Server 2008 R2 SP1.
Restart the operating system. This restart is required
Install any remaining updates.

You must restart your device after installing all the required updates, before installing any Monthly Rollup, Security-only update, Preview of Monthly Rollup, or standalone update.

Also, I strongly recommends that you move to Windows 10 to avoid a situation where you need service or support that is no longer available.

Hope above information can help you.
---Please Accept as answer if the reply is helpful---

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jenny,

I am also having this issue and I have tried the steps recommended but the CAB file still shows the same error. Are there additional KBs that have to be installed or something? Or can a CAB file thats dual-signed be provided?

0 Votes 0 ·