Patch Assessment Scan fails as the latest digicert certificates are not present.
Last Updated January 04, 2019
The Patch Assessment Scan fails on targets where latest digicert certificates are not installed. The following entry in the WindowsDC log is found: Failed to initialize Patch Scanner Engine in the ‘C:\Program Files (x86)\Symantec\CCS\Reporting and Analytics\DPS\Control\Windows\PatchAssessment\WindowsPatchData.zip’
Control Compliance Suite 12.x
Failed during patch assessment. - Failed to initialize Patch Scanner Engine. Error: The operation identifier is not valid
Windows Patch Assessment is upgraded to support new version of Patch Scanner Engine. This updated engine utilizes the latest digicert certificates verify the integrity of the windowspatchdata.zip file. These certificates should be present on configured and up to date systems from Microsoft. Some systems deployed from old installation sources may not contain all required certificates. This issue could also appear on systems:
that are not connected to the internet (closed environment) and where not all the Microsoft Windows updates are installed by IT administrator.
that in a workgroup, that are not managed by active directory, therefore it could not get the certificate by using group policy.
Save the certificate as DigiCertSHA2AssuredIDCodeSigningCA.cer
Agentless: For agentless data collection, you must install the digicert certificates on the computer where the Data Processing Service is running. Agent-based: For agent-based data collection, you must install the digicert certificates on the computer where the Data Processing Service is running and all Agents.
You can use one of the following methods to resolve the issue.