Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. Authenticity and integrity of Vendor(s) signed updates need to be verified during the installation process, hence correct certificates should be present on endpoints.
Software Updates may fail to install on the scheduled Software Update Cycle with errors.
Checked the Windows Compliance by Computer report on the Console > Reports > All Reports > Software > Patch Management > Compliance; confirmed these updates are still Applicable & Vulnerable.
Checked the Software Update Policy for deployment; confirmed the policy is enabled and the advertisements are enabled.
Patch Management 7.5.x, 7.6.x and 8.x
Software Updates fail to install with status (5) and exit code -2146762486 (A certificate chain could not be built) as seen in the following log excerpt:
AexPatchDeployment tool fails to install update with exit code 192 (The vendor patch file is either not signed, or the file signature fails the validation requested by the content provider) as seen in the following log excerpt:
Certificates required to validate Software Updates are not installed on endpoints
View the required certificates on INFO4345 since changes made in PMImport version outlined on INFO4245.
Ensure the Certificate Store on the targeted Client is current per the vendor / software being updated. You can validate this by opening certificate used to sign Software Update binaries located in package folder (default - C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\GUID\cache\ ). Open "Digital Signatures" tab in file properties UI and check that all certificates are validated successfully:
"Certificate status:" should provide details about any issues with the certificate on an endpoint.
To install certificates from Microsoft Root Certificate Program work through the process outlined at http://support.microsoft.com/kb/931125. This should cover most of the certificates used to sign Software Updates.
You can install individual certificates manually. Export the certificate used to sign Software Update file: - open "Digital Signatures" tab of the file properties - open the certificate - open "Details" tab of the certificate - use "Copy to file…" button And use certutil command line tool (https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx) to install the certificate on each endpoint.
Alternatively, if you wish to install it manually on an endpoint, the following steps may be used:
Open the Certificates MMC
Start > Run
Click File > Add/Remove Snap-in
Select Computer Account and click Next
To import Trusted Root Certificate
Expand Certificates Node
Right Click Trusted Root Certificates > All Tasks > Import
Browse to the Certificate
Subscribing will provide email updates when this Article is updated. Login is required.