Windows System Assessment Scan fails with Exit Code: 4

Article Id: 164743
Status: Published
Updated On: 12-08-2020 12:25
Legacy Id: TECH239756
Products:
Patch Management Solution for Windows
Issue/Introduction:

The Windows System Assessment Scan (WSAS) is failing to complete intermittently on Clients with Exit Code: 4

Also following entry in the STPatchAssessment.log file located by default in C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache which detailed: Signing certificate validation failed in 'C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\WindowsPatchData.zip'

 

Message='Patch assessment failed' (ExitCode=4).
HR=0x800710DD, MSG='Shavlik::ShavlikPatchAssessmentImpl::OnInitialize()- The operation identifier is not valid.'Note: “The operation identifier is not valid” message could be localized

GuardBoundary.h:39 patchScanEngine::CScanner92::CScanner92InterfaceImpl::Initialize invalid operation: class STCore::CInvalidOperationException at Opc.cpp:1466: Signing certificate validation failed in 'C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\WindowsPatchData.zip'

Cause:

A new version of the Import Patch Data for Windows (PMImport), MetaData Import Task engine was released v7.2.x on 2/23/2017. This updated engine utilizes the latest certificates for hardened environments. The clients in this type of environment lacked current certificates in the system store. These certificates should exist on properly configured and up to date systems from Microsoft, yet some systems deployed from old installation sources would not contain all required certificates.

This issue could also appear on systems: 

  • That is not connected to the internet (closed environment) and where not all the Microsoft Windows updates are installed by IT administrator. 
  • That is in a workgroup, that are not managed by active directory, therefore it could not get the certificate by using group policy.

NOTE: Additional causes which result in Exit Code 4 following the resolution methods listed in the Solution section below:

  • GPO (Group Policy) preventing the Certificates from being installed 
  • Confirmed that Windows Server 2003 is unable to support SHA2 as outlined by Microsoft; may install the HotFix provided on KB968730, or request the fix via the "View and request HotFix downloads" link on the Microsoft Support Page.

Environment:

Patch Management Solution for Windows 7.5.x, 7.6.x and 8.x

Windows OS - any client or server version above Windows 7/Server 2008

Resolution:

Review one of the following methods of resolution:

Method 1:
    1. Ensure Import Patch Data for Windows (PMImport) is downloaded with version 7.2.5 or later.
    2. Try running MetaData Import Task again, and verify that it completes successfully. If It isn't successful, review the Notification Server logs and troubleshoot.
    3. Await schedule for the Windows System Assessment Scan to execute, install the certs, and return current scan data
  1.  
  • DigiCertAssuredIDRootCA: https://www.digicert.com/CACerts/DigiCertAssuredIDRootCA.crt
    • Note: save as  DigiCertAssuredIDRootCA.cer
  • DigiCertSHA2AssuredIDCodeSigningCA: https://www.digicert.com/CACerts/DigiCertSHA2AssuredIDCodeSigningCA.crt 
    • Note: save as DigiCertSHA2AssuredIDCodeSigningCA.cer
  • Advisory: Certificates will be downloaded automatically to the endpoints and installed during the vulnerability assessment scan on schedule following the replication of the scan package to the Package / Site Servers for deployment to end-points.
  • It is possible to accelerate new files delivery on endpoints: Execute NS.Package Refresh Windows schedule task; RDP to SMP Server listed  Server Manager > Configuration > Task Scheduler, right-click > Run

Method 2:

  1. Use a Group Policy to deploy updated Certificates as outlined in https://technet.microsoft.com/en-us/library/cc770315

Summary:
If the two certificates aren't installed on the Client, the scan will continue to fail. If there are problems with deployment Method 1 & 2 above, manually installing as follows proves to be effective on the clients via:

Start > Run > MMC.exe; open Console Root > Certificates (Local Computer) and confirm if the certificates exist in the following locations:

DigiCertAssuredIDRootCA: Trusted Root Certification Authorities\Certificates

DigiCertSHA2AssuredIDCodeSigningCA: Intermediate Certification Authorities\Certificates

If they are not present: Download and install them each manually by double-clicking on the .cer, click Install Certificate > leave Automatically select... enabled > Next > Finish

Check the store outlined above and ensure they are present.

NOTE: After implementing the resolution some Clients are found to complete the scan with Exit Code 0; however, the following Informational Entries are found in the Client Logs:

Unable to load certificate from file DigiCert Assured ID Root CA.cer: The system cannot find the file specified.

Unable to load certificate from file DigiCert SHA2 Assured ID Code Signing CA.cer: The system cannot find the file specified.

These entries are cosmetic as they are detailing the info that the certificate installation is no longer part of the Windows System Assessment Scan. These entries will be lowered in logging from Informational to Verbose in a future release of PMImport to avoid confusion.