Windows 7 certification issues

UPDD kernel components utilise EV (Extended Validation) certificates and are digitally signed.

On Windows 7 you may have issues if there is any problem with these certificates, such as a warning that the software is from an untrusted publisher or in some cases see errors in the Device Manager, such as the examples below:

Untrusted Publisher 

Consider the following scenario:

  • You have a computer that is running Windows 7 or Windows Server 2008 R2.
  • You install a driver that is signed by an SHA256, SHA384, or SHA512 certificate, and the "Untrusted publisher" dialog box appears.
  • You click to select the Always trust check box and then click OK.
  • You uninstall the driver.
  • You install the same driver again.

In this scenario, the "Untrusted publisher" dialog box appears even though you already set the Always trust option to always trust the publisher.

This may be fine for the odd UPDD Driver install but may be considered an issue if you have many installations or if you are trying to perform a silent install.

Device Manager error

This example shows an issue with the kernel digital signature:

We have investigated the various certification and signing issue and it is difficult to get a definitive understanding of all the elements involved.

 However, as best as we can determine, these these can be resolved by either:

  • Ensuring all available patches are applied to the Win 7 system
  • Or, as a minimum, selectively patch as follows:

The first two items are needed to support sha256 certificates.

  1. Install MS KB 2921916 from here.
  2. Install MS KB 2813430 from here.
  3. In addition to the above another customer reported they also installed MS KB 3033929 from here.

Microsoft have now removed their hotfix service and at the time of writing 2921916 is no longer available from the link above but it is available from here.
Thereafter, either install UPDD installer for version 6.0.536 or greater

or, if using an older installer:

Download and install the Verisign Root CA certificate (in cases where the certificate is not in the system's certificate store)

Download and install the Certum Trusted Network CA (in cases where the certificate is not in the system's certificate store)

Certificate installation

In some Window 7 systems we have seen that the certificate store includes the VeriSign certificate utilised by the UPDD software and in others it is not installed, even when fully patched. We do not understand why this should be the case as the Microsoft certificate store should include all valid and acceptable certificates.

Fortunately there is a manual add certification process that can be used to install individual certificates.

Having downloaded the certificate (in the following examples to the Desktop) you can install either using via the command line or GUI interface.

Command Line procedure

To install the certificate use the command

certutil -addstore Root “VeriSign Universal Root Certification Authority.cer”
certutil -addstore Root “CertumCA.cer” 

as in the VeriSign example below. Admin rights are needed for this command.

User Interface procedure

Double click on the certificate as in this VeriSign example:

Click Open

Click Install

Click Next

Browse to 'Trusted Root Certification Authorities'; Click Next


Click Finish

System update status 

The Windows 7 system update status can be viewed in the Windows Update dialog: