Share via

Event ID 11 — Automatic Root Certificates Update Configuration

Applies To: Windows Server 2008

The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.

Event Details

Product: Windows Operating System
ID: 11
Source: Microsoft-Windows-CAPI2
Version: 6.0
Message: Failed extract of third-party root list from auto update cab at: <%1> with error: %2.


Check permissions on the temporary directory

The Automatic Root Certificates Update component downloads a cabinet (.cab) file to the temporary directory on the local computer, extracts the contents of the file, and then updates the root certificate list. The correct permissions must be applied to the temporary directory in order for the cabinet file to install correctly.

To check the permissions on the temporary directory:

  1. Navigate to the temporary directory on the local computer. By default, the temporary directory is located at %userprofile%\AppData\Local\Temp.
  2. Right-click the temporary directory, and then click Properties.
  3. Click the Security tab.
  4. Ensure that the user account logged on to the computer has Full Control permissions.


You can verify that the Automatic Root Certificates Update component is working properly by using a Web browser to open a Web site that requires the Automatic Root Certificates Update component. When you open this Web site, a new root certificate is downloaded from the Microsoft Windows Update Web site. If the certificate is downloaded successfully, Event ID 1 in the Microsoft-Windows-CAPI2 event source will be written to the event log.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that Event ID 1 is being written to the event log:

  1. Click Start, and then click Control Panel.
  2. Double-click Administrative Tools, and then click Event Viewer.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Expand Windows Logs, and then click Application.
  5. Look for an event with a Source named CAPI2 and an Event ID of 1.

Automatic Root Certificates Update Configuration

Core Security