Original Message:
Sent: May 19, 2023 02:50 AM
From: Igor Perevozchikov
Subject: Windows Patch Assessment failing
Just in case, there is a custom inventory available to get information about installed certificates in trusted root and CA from managed client computers, to make sure that all computers have required certificates installed
https://community.broadcom.com/symantecenterprise/viewdocument/custom-inventory-to-get-installed-c?CommunityKey=bf23126f-6eab-4bbe-965d-e26838c079e0&tab=librarydocuments
Original Message:
Sent: Apr 17, 2023 03:39 PM
From: WTargarean
Subject: Windows Patch Assessment failing
Thank you! everything is working
Original Message:
Sent: Apr 14, 2023 12:04 PM
From: Dmitri Gornev
Subject: Windows Patch Assessment failing
KB164743 is updated with additional resolution options.
Original Message:
Sent: Apr 13, 2023 08:22 AM
From: Jacques Bence
Subject: Windows Patch Assessment failing
I got mine to work now by downloading the certs and adding them to the SSL settings as described in the article. The logs showed that the certs are being replaced on the client machine and then the patch scan was able to complete. I did not have to touch the HTTPS settings.
Original Message:
Sent: Apr 13, 2023 07:44 AM
From: Jacques Bence
Subject: Windows Patch Assessment failing
As mentioned before we are not running in HTTPS or SSL mode so we are not using certificates in the environment. I have no existing certificates to replace and I don't intend on enabling HTTPS mode either. Any other suggestions?
Original Message:
Sent: Apr 13, 2023 07:28 AM
From: Jo Peacock
Subject: Windows Patch Assessment failing
We following the KB https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html and then downloaded all the certs. Then as per method 3 in the KB, we deployed via the NS Communication Profile - our servers also don't have internet access, but this method worked for us. We are now up and running again.
Original Message:
Sent: Apr 13, 2023 07:07 AM
From: Jacques Bence
Subject: Windows Patch Assessment failing
I am seeing the same issue on my side. However, I am not using a certification infrastructure and I am also not able to allow all machines access to the internet. It doesn't even work on my NS and SQL server. So where to from here?
Original Message:
Sent: Apr 11, 2023 11:58 AM
From: AlexS@TelindusLux
Subject: Windows Patch Assessment failing
Hello Roy,
yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex
Original Message:
Sent: Apr 11, 2023 11:41 AM
From: Roy B
Subject: Windows Patch Assessment failing
Alex,
The files I downloaded were a .crt. Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?
Both certificates imported correctly:
Hope that helps,
Roy
Original Message:
Sent: Apr 11, 2023 11:18 AM
From: AlexS@TelindusLux
Subject: Windows Patch Assessment failing
Hello,
What is the required password ?
Original Message:
Sent: Apr 11, 2023 10:43 AM
From: Dmitri Gornev
Subject: Windows Patch Assessment failing
We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):
https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities
The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:
Original Message:
Sent: Apr 11, 2023 10:23 AM
From: cookie999
Subject: Windows Patch Assessment failing
We are also seeing the same issue. However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.
Original Message:
Sent: Apr 11, 2023 08:10 AM
From: Fabian De Reyst
Subject: Windows Patch Assessment failing
Hi all,
we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?
Original Message:
Sent: Apr 11, 2023 06:59 AM
From: Craig Witter
Subject: Windows Patch Assessment failing
We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt
It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html
Original Message:
Sent: Apr 11, 2023 12:08 AM
From: Igor Perevozchikov
Subject: Windows Patch Assessment failing
Hi WTargarean!
Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html
Best regards,
IP.
Original Message:
Sent: Apr 10, 2023 05:18 PM
From: WTargarean
Subject: Windows Patch Assessment failing
We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.
attached is a the logs screenshot: