When you use Windows Server Update Services to deploy updates, you find that Windows Server Update Services keeps reinstalling the root certificates update that is described in Knowledge Base article 931125 on the clients that are running Windows XP.
This issue occurs because the update for root certificates is routinely updated. Additionally, there are four updates for root certificates that are released. Therefore, you notice that an update that has the same name is installed many times.
To resolve this issue, set Windows Server Update Services to decline all root updates except the latest one on the Windows Server Update Services server. To do this, follow these steps:
- Open the Windows Server Update Services Administration console. In the Updates list, locate the following updates:
Note You may have to change the filters in the Update node to see the update. To do this, set the Status filter to Any, and set the Approval filter to Declined. If you still do not see the update, set the Approval filter to Any Except Declined.
- "Update for root certificates" (Release date : 2/20/2009)
- "Update for root certificates" (Release date : 9/22/2009)
- "Update for root certificates" (Release date : 2/24/2009)
- "Update for root certificates" (Release date : 5/26/2006)
- Confirm that all the updates are declined except "Update for root certificates" (Release date : 9/22/2009). If the update is not declined, right-click the update, and then click Decline.
- Approve the update "Update for root certificates" (Release date : 9/22/2009). To do this, right-click the update, click Approve, and then click OK.
Note Do not make any changes to the approval settings in the Approve Updates dialog box.
- Computers should now successfully complete detection against the Windows Server Update Services server and should now receive any applicable updates. To verify that a computer can synchronize the updates, follow these steps:
- Open a command prompt.
- Type the following command:
- Press ENTER.
- Examine the WindowsUpdate.log file to verify that the synchronization is successful. You may have to run the command that is mentioned in step 4b two times. Because in some cases, the first synchronization fails but successive synchronizations succeed.
- If you have a hierarchy of Windows Server Update Services servers, repeat this procedure on each server. You must start this procedure from the top-level server.
Note If any of the servers is a replica child server, change it to be autonomous by using the Update Source and Proxy Server dialog box that can be open in Options. Follow these steps, and then change the autonomous server back to a replica child server.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about the update for root certificates , click the following article number to view the article in the Microsoft Knowledge Base:
Windows root certificate program members