Windows System Assessment Scan fails with Exit Code: 4
search cancel

Windows System Assessment Scan fails with Exit Code: 4

book

Article ID: 164743

calendar_today

Updated On:

Products

Patch Management Solution IT Management Suite Client Management Suite

Issue/Introduction

The Windows System Assessment Scan (WSAS) is failing to complete on Clients with Exit Code: 4

Symantec Management Agent Log (located in C:\ProgramData\Symantec\Symantec Agent\Logs) contains entries:

  • OnInitialize()- The operation identifier is not valid.
  • Message='Patch assessment failed' (ExitCode=4).
  • Failed to launch assessment scan for provider: Traditional

Assessment log (STPatchAssessment.log located in C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery {6D417916-467C-46A7-A870-6D86D9345B61}\cache) contains:

  • Signing certificate validation failed in 'C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery {6D417916-467C-46A7-A870-6D86D9345B61}\cache\WindowsPatchData.zip'.

Environment

Patch Management Solution for Windows 8.x

Any Windows OS version - most likely it's reproducible with endpoints that don't have access to Internet and cannot update certificates automatically.

Cause

Patch Data builds starting from 7.3.1233 version released on 7-Apr-2023 have content signed with a new certificate that requires an up-to-date certificate chain for validation.

These certificates should exist on properly configured and up-to-date systems from Microsoft, yet some systems deployed from old installation sources would not contain all required certificates.

This issue could also appear on systems: 

  • That are not connected to the internet (closed environment) and where not all the Microsoft Windows updates are installed by IT administrator. 
  • That are in a workgroup, not managed by active directory, and therefore could not get the certificate by using group policy.
  • GPO (Group Policy) preventing the Certificates from being installed 

Resolution

Patch Data as of version 7.3.1233 introduced an updated requirement for certificates.  If your endpoints have consistent access to the internet, this will not be an issue for you.  However, if your endpoints are mostly disconnected or have intermittent internet access, you will need to follow one of the methods below deploy/install updated certificates.

Review one of the following methods of resolution:

Method 1:

Download the certs linked below. Use a Group Policy to deploy updated Certificates as outlined in https://technet.microsoft.com/en-us/library/cc770315

 

These two certs may also be needed, and if previously installed for this issue, we recommend leaving these in place

Method 2:

Download the certs linked above. You can use the Symantec Management Platform's communication profile to distribute these certificates to your endpoints.  Simply add the certificates to the communication profile and allow your endpoints to update their configuration information. 

NOTE: Leave the file as .cer or .crt.  By default the Import window is looking for a .pfx file.  Change this drop down to All Files (*.*) so you can see and find the .cer / .crt files).  Do not rename the file to .pfx and then import as it will require a password that is not available.

 

Summary:
If the new certificates are not installed on the Client, the scan will continue to fail. If there are problems with deployment Method 2 above, manually installing as follows proves to be effective on the clients

Start > Run > MMC.exe; open Console Root > Certificates (Local Computer) and confirm if the certificates exist in the following locations:

DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt:  Intermediate Certification Authorities

DigiCertTrustedRootG4.crt:  Trusted Root Certification Authorities

If they are not present: Download and install them each manually by double-clicking on the .cer, click Install Certificate > leave Automatically select... enabled > Next > Finish

Check the store outlined above and ensure they are present.

Powered by Wolken Software