If your Exchange 2007 servers are not connected to internet (which for most cases should be true), installation of Rollup Update can hang and/or Exchange 2007 managed code services do not start. This happens due to Certificate Revocation check for certificate used to sign the code. It is documented here and here.
For Rollup Installation, You can address this one of two ways:
Turn off certificate revocation check in Internet Explorer
In Internet Explorer –> Tools –> Internet Options –> Advanced tab
In the Security section, uncheck or clear the box for two options mentioned below:Check for publisher’s certificate revocation
Check for server certificate revocation
Turn off certificate revocation check in registry
In registry editor browse to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
Change Value “State” to 146944 Decimal or 0x00023e00 Hexadecimal
Either way, you should not leave these settings intact after installation of Rollup update. Do not forget to revert the changes. I don’t think you will ask me for steps to revert it if you used IE method. If you changed registry, I have listed details below.
Turn on certificate revocation check in registry
In registry editor browse to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
Change Value “State” to 146432 Decimal or 0x00023c00 Hexadecimal
If you are facing second issue which is Exchange 2007 managed code services do not start after installation of Rollup Update is installed, you will want to create or change the configuration files as discussed in articles mentioned above. If you are not running .Net Framework 2.0 SP1 or above, you need to apply software updates mentioned in KB944752.
The process of creating or changing configuration files may seem daunting task. Especially if you need to do it on many servers. Guillaume Bordier has created PowerShell script to automate this task. You can read more about it here.
This only disables the Server Certificate Revocation is there a similar method to disable the Check for publisher’s certificate revocation?