Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. Authenticity and integrity of Vendor(s) signed updates need to be verified during the installation process, hence correct certificates should be present on endpoints.
Software Updates may fail to install on the scheduled Software Update Cycle with errors.
Checked the Windows Compliance by Computer report on the Console > Reports > All Reports > Software > Patch Management > Compliance; confirmed these updates are still Applicable & Vulnerable.
Checked the Software Update Policy for deployment; confirmed the policy is enabled and the advertisements are enabled.
Software Updates fail to install with status (5) and exit code -2146762486 (A certificate chain could not be built) as seen in the following log excerpt:
AexPatchDeployment tool fails to install update with exit code 192 (The vendor patch file is either not signed, or the file signature fails the validation requested by the content provider) as seen in the following log excerpt:
Patch Management 8.x
Certificates required to validate Software Updates are not installed on endpoints
View the required certificates in the article, Certificate Listing required for Patch Management Solution
Ensure the Certificate Store on the targeted Client is current per the vendor / software being updated. You can validate this by opening certificate used to sign Software Update binaries located in package folder (default - C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\GUID\cache\ ). Open "Digital Signatures" tab in file properties UI and check that all certificates are validated successfully:
"Certificate status:" should provide details about any issues with the certificate on an endpoint. Make sure it is ok.
To install certificates from Microsoft Root Certificate Program work through the process outlined at http://support.microsoft.com/kb/931125. This should cover most of the certificates used to sign Software Updates.
You can install individual certificates manually.
Export the certificate used to sign Software Update file:
- open "Digital Signatures" tab of the file properties
- open the certificate
- open "Details" tab of the certificate
- use "Copy to file…" button
And use certutil command line tool (https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx) to install the certificate on each endpoint.
Alternatively, if you wish to install it manually on an endpoint, the following steps may be used:
Open the Certificates MMC
To import Trusted Root Certificate
* When you download windows updates and patches, there will be a digital signature bound to the update. If the Microsoft certificates are not installed correctly on notifications server, the updates will not have this digital signature bound to them.