Hotfix 2801987 is out for 0x800b0101, but the cert expires in March

Hi All,

As hopefully most of you are aware we released KB article 2801987 for System Center 2012 Configuration Manager SP1. This update provides a new version of MicrosoftPolicyPlatformSetup.msi (a prerequisite for CI-related activities, in case you were wondering such as DCM, AppMgmt and so on). If you install 2801987 you won’t need to install the Windows update provided in Security Advisory 2749655 for Configuration Manager. I highlight this, because the Windows update addresses this generically for other products/updates rather than just Configuration Manager (or specifically MicrosoftPolicyPlatformSetup.msi).

That said, one thing that crops up is that the cert used to sign MicrosoftPolicyPlatformSetup.msi expires in March, 2013. Does this mean that you’ll need a new hotfix in March this year to install the client because the cert expires then?

The answer is no, you won’t have to install new hotfix in March, 2013 because of the cert expiring then.

Why? The reason for this is that the issue described in Security Advisory 2749655 and the hotfix 2801987 has to do not with the signing certificates themselves expiring but with the a missing timestamp. From 2749655:

Microsoft is aware of an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes. These digital certificates were later used to sign some Microsoft core components and software binaries. This could cause compatibility issues between affected binaries and Microsoft Windows…

The timestamping extension to digital signatures basically allows a signature (and cert) to be marked as valid at the time of signing. That basically means that a certificate is valid until a certificate is revoked by the Certificate Authority (CA) or marked as untrusted. Timestamping allows those signatures and the binaries they sign to have an indefinite lifecycle, rather than an arbitrary limit. From Security Advisory Security Advisory 2749655:

How are timestamp Enhanced Key Usage (EKU) extensions used? 
Per RFC3280, timestamp Enhanced Key Usage (EKU) extensions are used to bind the hash of an object to a time. These signed statements show that a signature existed at a particular point in time. They are used in code integrity situations when the code signing certificate has expired, to verify that the signature was made before the certificate expired. For more information about certificate timestamps, see How Certificates Work and Windows Authenticode Portable Executable Signature Format.

Hopefully this helps to clarify things for this update!


Comments (0)

Skip to main content