search cancel

Windows System Assessment Scan fails with Exit Code: 4

book

Article ID: 164743

calendar_today

Updated On:

Products

Patch Management Solution

Issue/Introduction

The Windows System Assessment Scan (WSAS) is failing to complete intermittently on Clients with Exit Code: 4

Also following entry in the STPatchAssessment.log file located by default in C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache which detailed: Signing certificate validation failed in 'C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\WindowsPatchData.zip'

 

Message='Patch assessment failed' (ExitCode=4).
HR=0x800710DD, MSG='Shavlik::ShavlikPatchAssessmentImpl::OnInitialize()- The operation identifier is not valid.'Note: “The operation identifier is not valid” message could be localized

GuardBoundary.h:39 patchScanEngine::CScanner92::CScanner92InterfaceImpl::Initialize invalid operation: class STCore::CInvalidOperationException at Opc.cpp:1466: Signing certificate validation failed in 'C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\WindowsPatchData.zip'

Cause

A new version of the Import Patch Data for Windows (PMImport), MetaData Import Task engine was released v7.2.x on 2/23/2017. This updated engine utilizes the latest certificates for hardened environments. The clients in this type of environment lacked current certificates in the system store. These certificates should exist on properly configured and up to date systems from Microsoft, yet some systems deployed from old installation sources would not contain all required certificates.

This issue could also appear on systems: 

  • That are not connected to the internet (closed environment) and where not all the Microsoft Windows updates are installed by IT administrator. 
  • That are in a workgroup, not managed by active directory, and therefore could not get the certificate by using group policy.
  • GPO (Group Policy) preventing the Certificates from being installed 

Environment

Patch Management Solution for Windows 8.x

Windows OS - any client or server version above Windows 7/Server 2008

Resolution

Review one of the following methods of resolution:

To test and verify this is the issue:

Download both certificates linked below to a computer that is failing the assessment scan. Place the certificates in the assessment scan tools folder. The default location is here:

C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache

Run the assessment scan from the Agent user interface and verify it completes successfully. If they do not, it is likely due to missing permissions on the System account to install the certificates. 

Method 1:

Download the following two certificates and place them in the WindowsVunlnerabilityScan folder on the Notification Server. The default path is C:\Program Files\Altiris\Patch Management\Packages\WindowsVulnerabilityScan

Advisory: Certificates will be downloaded automatically to the endpoints and installed during the vulnerability assessment scan on schedule following the replication of the scan package to the Package / Site Servers for deployment to end-points.

It is possible to accelerate new files delivery on endpoints: Execute NS.Package Refresh Windows schedule task; RDP to SMP Server listed  Server Manager > Configuration > Task Scheduler, right-click > Run

Method 2:

  1. Use a Group Policy to deploy updated Certificates as outlined in https://technet.microsoft.com/en-us/library/cc770315

Summary:
If the two certificates are not installed on the Client, the scan will continue to fail. If there are problems with deployment Method 1 & 2 above, manually installing as follows proves to be effective on the clients

Start > Run > MMC.exe; open Console Root > Certificates (Local Computer) and confirm if the certificates exist in the following locations:

DigiCertAssuredIDRootCA: Trusted Root Certification Authorities\Certificates

DigiCertSHA2AssuredIDCodeSigningCA: Intermediate Certification Authorities\Certificates

If they are not present: Download and install them each manually by double-clicking on the .cer, click Install Certificate > leave Automatically select... enabled > Next > Finish

Check the store outlined above and ensure they are present.

NOTE: After implementing the resolution some Clients are found to complete the scan with Exit Code 0; however, the following Informational Entries are found in the Client Logs:

Unable to load certificate from file DigiCert Assured ID Root CA.cer: The system cannot find the file specified.

Unable to load certificate from file DigiCert SHA2 Assured ID Code Signing CA.cer: The system cannot find the file specified.

These entries are cosmetic as they are detailing the info that the certificate installation is no longer part of the Windows System Assessment Scan. These entries will be lowered in logging from Informational to Verbose in a future release of PMImport to avoid confusion.