[German]Microsoft has released yesterday several Windows updates. One of them, Update KB3004394 seems to damage the Root Certificate Store on some Windows 7 and Windows Server 2008 R2 machines.
I noticed this problem during comments left on my to days German blog article Microsoft Dezember 2014-Patchday-Nachlese. After installing all updates enrolled from December patch day (December 9. 2014), Windows 7 and Windows Server 2008 R2 shows several errors.
- Some users reported, that Windows doesn't starts anymore (see this German Dr. Windows-Forum entry).
- Microsoft Memory Management-Console (MMC.exe) suddenly asks for Administrator credentials from UAC, even if an Administrator account is used (see this MS Answers-dicussion).
- AMD Control Center CCC OMEGA refuse to install new AMD drivers 14.12 (Omega) with error code 52, claiming an unsigned driver (see discussion in AMD-Forum and at MS Answers).
- The Windows Diagnostic Tool reports error 0x800706F7 and doesn't work anymore(see this entry).
- Installing Microsoft Security Essentials (MSE) fails with error 8004ff91 (see this MS Answers discussion).
Searching the web, it seems that Update KB3004394 (which is December 2014 update for Windows Root Certificate Program in Windows) is the root cause for all this trouble. Update KB3004394 has been rolled out for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, Windows Server 2012, Windows 7, and Windows Server 2008 R2.
What does Update KB3004394 do? The Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows. Usually, a client computer polls root certificate updates once a week. After you apply this update, the client computer can receive urgent root certificate updates within 24 hours.
It seems that Update KB3004394 damaged the Root Certificate store on some Windows 7 and Windows Server 2008 R2 systems. After installing this update, sfc /scannow reportes a corrupted system. The fix for this issue: Uninstall Update KB3004394 repairs all damaged system components. And don't forgot to block Update KB3004394 in Windows Update, until Microsoft delivers a fixed patch.
Cookies helps to fund this blog: Cookie settings
Thanks for this info, it also breaks DRM on Windows 7 MCE.
Pingback: Patchday: Windows Update error 800706F7 | Born's Tech and Windows World
Pingback: How to remove installed Windows Updates and block them afterwards - gHacks Tech News
MS knows about the issue and has recalled the update. It's no longer a necessary step to block it.
Microsoft has released now another Update KB3024777 to fix issues caused by malicious update KB3004394. Details may found here.
Pingback: Update KB3004394 breaks Root Certificate in Windows 7/ Windows Server 2008 R2 | Computer Gurus
Pingback: How to remove installed Windows Updates and block them afterwards | vpsdash
Thank you, Guenni! I couldn't figure out why the drivers for our new Digi AnywhereUSB/2 kept failing to load after installation. Removing the bad update made it work again.
I have worked with a customer suffering from this today. (Getting code 52 on new hardware install – certificate not valid). I did an uninstall of the offending KB. Reboot. Uninstall the failed hardware (with delete). Install new hardware. Still failing.
It continued to fail with code 52 after the KB was uninstalled until I did a system restore back to before the updates.
We have installed, we assume, this update on Windows 7 (German). We are not able to start system anymore. That happened already second time in our Office. In first case BIOS was corrupted. Now we have no clue what is happening. Is there anyway to start system?