Windows System Assessment Scan fails with Exit Code: 4
Article ID: 164743
Updated On:
Products
Issue/Introduction
The Windows System Assessment Scan (WSAS) is failing to complete intermittently on Clients with Exit Code: 4
Also following entry in the STPatchAssessment.log file located by default in C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache which detailed: Signing certificate validation failed in 'C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\WindowsPatchData.zip'
Message='Patch assessment failed' (ExitCode=4).
HR=0x800710DD, MSG='Shavlik::ShavlikPatchAssessmentImpl::OnInitialize()- The operation identifier is not valid.'Note: “The operation identifier is not valid” message could be localized
GuardBoundary.h:39 patchScanEngine::CScanner92::CScanner92InterfaceImpl::Initialize invalid operation: class STCore::CInvalidOperationException at Opc.cpp:1466: Signing certificate validation failed in 'C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\WindowsPatchData.zip'
Cause
A new version of the Import Patch Data for Windows (PMImport), MetaData Import Task engine was released v7.2.x on 2/23/2017. This updated engine utilizes the latest certificates for hardened environments. The clients in this type of environment lacked current certificates in the system store. These certificates should exist on properly configured and up to date systems from Microsoft, yet some systems deployed from old installation sources would not contain all required certificates.
This issue could also appear on systems:
- That are not connected to the internet (closed environment) and where not all the Microsoft Windows updates are installed by IT administrator.
- That are in a workgroup, not managed by active directory, and therefore could not get the certificate by using group policy.
- GPO (Group Policy) preventing the Certificates from being installed
Environment
Patch Management Solution for Windows 8.x
Windows OS - any client or server version above Windows 7/Server 2008
Resolution
Review one of the following methods of resolution:
To test and verify this is the issue:
Download both certificates linked below to a computer that is failing the assessment scan. Place the certificates in the assessment scan tools folder. The default location is here:
C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache
Run the assessment scan from the Agent user interface and verify it completes successfully. If they do not, it is likely due to missing permissions on the System account to install the certificates.
Download the following two certificates and place them in the WindowsVunlnerabilityScan folder on the Notification Server. The default path is C:\Program Files\Altiris\Patch Management\Packages\WindowsVulnerabilityScan
- DigiCertAssuredIDRootCA: https://www.digicert.com/CACerts/DigiCertAssuredIDRootCA.crt
- Note: save as DigiCertAssuredIDRootCA.cer
- DigiCertSHA2AssuredIDCodeSigningCA: https://www.digicert.com/CACerts/DigiCertSHA2AssuredIDCodeSigningCA.crt
- Note: save as DigiCertSHA2AssuredIDCodeSigningCA.cer
- Note: save as DigiCertSHA2AssuredIDCodeSigningCA.cer
Advisory: Certificates will be downloaded automatically to the endpoints and installed during the vulnerability assessment scan on schedule following the replication of the scan package to the Package / Site Servers for deployment to end-points.
It is possible to accelerate new files delivery on endpoints: Execute NS.Package Refresh Windows schedule task; RDP to SMP Server listed Server Manager > Configuration > Task Scheduler, right-click > Run
Method 2:
- Use a Group Policy to deploy updated Certificates as outlined in https://technet.microsoft.com/en-us/library/cc770315
Summary:
If the two certificates are not installed on the Client, the scan will continue to fail. If there are problems with deployment Method 1 & 2 above, manually installing as follows proves to be effective on the clients
Start > Run > MMC.exe; open Console Root > Certificates (Local Computer) and confirm if the certificates exist in the following locations:
DigiCertAssuredIDRootCA: Trusted Root Certification Authorities\Certificates
DigiCertSHA2AssuredIDCodeSigningCA: Intermediate Certification Authorities\Certificates
If they are not present: Download and install them each manually by double-clicking on the .cer, click Install Certificate > leave Automatically select... enabled > Next > Finish
Check the store outlined above and ensure they are present.
NOTE: After implementing the resolution some Clients are found to complete the scan with Exit Code 0; however, the following Informational Entries are found in the Client Logs:
Unable to load certificate from file DigiCert Assured ID Root CA.cer: The system cannot find the file specified.
Unable to load certificate from file DigiCert SHA2 Assured ID Code Signing CA.cer: The system cannot find the file specified.
These entries are cosmetic as they are detailing the info that the certificate installation is no longer part of the Windows System Assessment Scan. These entries will be lowered in logging from Informational to Verbose in a future release of PMImport to avoid confusion.
Feedback
