Windows System Assessment Scan fails with Exit Code: 4
Article ID: 164743
Updated On:
Products
Issue/Introduction
The Windows System Assessment Scan (WSAS) is failing to complete on Clients with Exit Code: 4
Symantec Management Agent Log (located in C:\ProgramData\Symantec\Symantec Agent\Logs) contains entries:
OnInitialize()- The operation identifier is not valid.Message='Patch assessment failed' (ExitCode=4).Failed to launch assessment scan for provider: Traditional
Assessment log (STPatchAssessment.log located in C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery {6D417916-467C-46A7-A870-6D86D9345B61}\cache) contains:
Signing certificate validation failed in 'C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery {6D417916-467C-46A7-A870-6D86D9345B61}\cache\WindowsPatchData.zip'.
Environment
Patch Management Solution for Windows 8.x
Any Windows OS version - most likely it's reproducible with endpoints that don't have access to Internet and cannot update certificates automatically.
Cause
Patch Data builds starting from 7.3.1233 version released on 7-Apr-2023 have content signed with a new certificate that requires an up-to-date certificate chain for validation.
These certificates should exist on properly configured and up-to-date systems from Microsoft, yet some systems deployed from old installation sources would not contain all required certificates.
This issue could also appear on systems:
- That are not connected to the internet (closed environment) and where not all the Microsoft Windows updates are installed by IT administrator.
- That are in a workgroup, not managed by active directory, and therefore could not get the certificate by using group policy.
- GPO (Group Policy) preventing the Certificates from being installed
Resolution
Patch Data as of version 7.3.1233 introduced an updated requirement for certificates. If your endpoints have consistent access to the internet, this will not be an issue for you. However, if your endpoints are mostly disconnected or have intermittent internet access, you will need to follow one of the methods below deploy/install updated certificates.
Review one of the following methods of resolution:
Method 1:
Download the certs linked in Method 3 below. Use a Group Policy to deploy updated Certificates as outlined in https://technet.microsoft.com/en-us/library/cc770315
Method 2:
Download the certs linked in Method 3 below. You can use the Symantec Management Platform's communication profile to distribute these certificates to your endpoints. Simply add the certificates to the communication profile and allow your endpoints to update their configuration information.
NOTE: Leave the file as .cer or .crt. By default the Import window is looking for a .pfx file. Change this drop down to All Files (*.*) so you can see and find the .cer / .crt files). Do not rename the file to .pfx and then import as it will require a password that is not available.
Method 3:
Method 3 currently requires the usage of a custom AeXPatchAssessment.exe tool (version 7.3.3086) to install the first two certificates on the endpoints. This executable needs to be downloaded from this KB article (see attachments section) and placed to C:\Program Files\Altiris\Patch Management\Packages\WindowsVulnerabilityScan on the Symantec Management Platform (SMP) server.
Note: Custom AeXPatchAssessment.exe tool will be overwritten with the original from datafeed on the next Import of Patch Data task execution. If all endpoints have the certificates, there is no need to continue using the attached executable.
Download the following two certificates and place them in the WindowsVunlnerabilityScan folder on the Notification Server. The default path is C:\Program Files\Altiris\Patch Management\Packages\WindowsVulnerabilityScan
- DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt: https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
- Note: save as DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cer
- Note: save as DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cer
- DigiCertTrustedRootG4.crt: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt
- Note: save as DigiCertTrustedRootG4.cer
These two certs may also be needed, and if previously installed for this issue, we recommend leaving these in place
- .DigiCert SHA2 Assured ID Code Signing CA: https://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
- Note: save as DigiCertSHA2AssuredIDCodeSigningCA.cer
- DigiCert Assured ID Root CA: https://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
- Note: save as DigiCertAssuredIDRootCA.cer
Advisory: Certificates will be downloaded automatically to the endpoints and installed during the vulnerability assessment scan on schedule following the replication of the scan package to the Package / Site Servers for deployment to end-points.
It is possible to accelerate new files delivery on endpoints: Execute NS.Package Refresh Windows schedule task; RDP to SMP Server listed Server Manager > Configuration > Task Scheduler, right-click > Run
Summary:
If the new certificates are not installed on the Client, the scan will continue to fail. If there are problems with deployment Method 2 & 3 above, manually installing as follows proves to be effective on the clients
Start > Run > MMC.exe; open Console Root > Certificates (Local Computer) and confirm if the certificates exist in the following locations:
DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt: Intermediate Certification Authorities
DigiCertTrustedRootG4.crt: Trusted Root Certification Authorities
If they are not present: Download and install them each manually by double-clicking on the .cer, click Install Certificate > leave Automatically select... enabled > Next > Finish
Check the store outlined above and ensure they are present.
NOTE: After implementing the resolution some Clients are found to complete the scan with Exit Code 0; however, the following Informational Entries are found in the Client Logs:
Unable to load certificate from file DigiCert Assured ID Root CA.cer: The system cannot find the file specified.
Unable to load certificate from file DigiCert SHA2 Assured ID Code Signing CA.cer: The system cannot find the file specified.
These entries are cosmetic as they are detailing the info that the certificate installation is no longer part of the Windows System Assessment Scan. These entries will be lowered in logging from Informational to Verbose in a future release of PMImport to avoid confusion.
Attachments
Feedback
