IT Management Suite

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

Hello Roy,

yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

I am seeing the same issue on my side.  However, I am not using a certification infrastructure and I am also not able to allow all machines access to the internet.  It doesn't even work on my NS and SQL server.  So where to from here?

Hello Roy,

yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

I am seeing the same issue on my side.  However, I am not using a certification infrastructure and I am also not able to allow all machines access to the internet.  It doesn't even work on my NS and SQL server.  So where to from here?

Hello Roy,

yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

We following the KB https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html and then downloaded all the certs.  Then as per method 3 in the KB, we deployed via the NS Communication Profile - our servers also don't have internet access, but this method worked for us.  We are now up and running again.

I am seeing the same issue on my side.  However, I am not using a certification infrastructure and I am also not able to allow all machines access to the internet.  It doesn't even work on my NS and SQL server.  So where to from here?

Hello Roy,

yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

As mentioned before we are not running in HTTPS or SSL mode so we are not using certificates in the environment. I have no existing certificates to replace and I don't intend on enabling HTTPS mode either.  Any other suggestions?

We following the KB https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html and then downloaded all the certs.  Then as per method 3 in the KB, we deployed via the NS Communication Profile - our servers also don't have internet access, but this method worked for us.  We are now up and running again.

I am seeing the same issue on my side.  However, I am not using a certification infrastructure and I am also not able to allow all machines access to the internet.  It doesn't even work on my NS and SQL server.  So where to from here?

Hello Roy,

yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

I got mine to work now by downloading the certs and adding them to the SSL settings as described in the article.  The logs showed that the certs are being replaced on the client machine and then the patch scan was able to complete.  I did not have to touch the HTTPS settings.

As mentioned before we are not running in HTTPS or SSL mode so we are not using certificates in the environment. I have no existing certificates to replace and I don't intend on enabling HTTPS mode either.  Any other suggestions?

We following the KB https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html and then downloaded all the certs.  Then as per method 3 in the KB, we deployed via the NS Communication Profile - our servers also don't have internet access, but this method worked for us.  We are now up and running again.

I am seeing the same issue on my side.  However, I am not using a certification infrastructure and I am also not able to allow all machines access to the internet.  It doesn't even work on my NS and SQL server.  So where to from here?

Hello Roy,

yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

KB164743 is updated with additional resolution options.

I got mine to work now by downloading the certs and adding them to the SSL settings as described in the article.  The logs showed that the certs are being replaced on the client machine and then the patch scan was able to complete.  I did not have to touch the HTTPS settings.

As mentioned before we are not running in HTTPS or SSL mode so we are not using certificates in the environment. I have no existing certificates to replace and I don't intend on enabling HTTPS mode either.  Any other suggestions?

We following the KB https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html and then downloaded all the certs.  Then as per method 3 in the KB, we deployed via the NS Communication Profile - our servers also don't have internet access, but this method worked for us.  We are now up and running again.

I am seeing the same issue on my side.  However, I am not using a certification infrastructure and I am also not able to allow all machines access to the internet.  It doesn't even work on my NS and SQL server.  So where to from here?

Hello Roy,

yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

Thank you! everything is working

KB164743 is updated with additional resolution options.

I got mine to work now by downloading the certs and adding them to the SSL settings as described in the article.  The logs showed that the certs are being replaced on the client machine and then the patch scan was able to complete.  I did not have to touch the HTTPS settings.

As mentioned before we are not running in HTTPS or SSL mode so we are not using certificates in the environment. I have no existing certificates to replace and I don't intend on enabling HTTPS mode either.  Any other suggestions?

We following the KB https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html and then downloaded all the certs.  Then as per method 3 in the KB, we deployed via the NS Communication Profile - our servers also don't have internet access, but this method worked for us.  We are now up and running again.

I am seeing the same issue on my side.  However, I am not using a certification infrastructure and I am also not able to allow all machines access to the internet.  It doesn't even work on my NS and SQL server.  So where to from here?

Hello Roy,

yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot:
 

Just in case, there is a custom inventory available to get information about installed certificates in trusted root and CA from managed client computers, to make sure that all computers have required certificates installed

https://community.broadcom.com/symantecenterprise/viewdocument/custom-inventory-to-get-installed-c?CommunityKey=bf23126f-6eab-4bbe-965d-e26838c079e0&tab=librarydocuments

Thank you! everything is working

KB164743 is updated with additional resolution options.

I got mine to work now by downloading the certs and adding them to the SSL settings as described in the article.  The logs showed that the certs are being replaced on the client machine and then the patch scan was able to complete.  I did not have to touch the HTTPS settings.

As mentioned before we are not running in HTTPS or SSL mode so we are not using certificates in the environment. I have no existing certificates to replace and I don't intend on enabling HTTPS mode either.  Any other suggestions?

We following the KB https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html and then downloaded all the certs.  Then as per method 3 in the KB, we deployed via the NS Communication Profile - our servers also don't have internet access, but this method worked for us.  We are now up and running again.

I am seeing the same issue on my side.  However, I am not using a certification infrastructure and I am also not able to allow all machines access to the internet.  It doesn't even work on my NS and SQL server.  So where to from here?

Hello Roy,

yes with CRT name, it works correctly without requesting a password. Thank you for your help
Alex

Alex,

The files I downloaded were a .crt.  Importing a .crt didn't require a password for me. Looks like you're importing a .cer file?

Both certificates imported correctly:

Hope that helps,
Roy

Hello,

What is the required password ?

We plan to update KB164743 shortly with new certificates information but here is the short summary.
The following certificates need to be installed on affected computers (according to our investigation these are endpoints that don't have access to Internet):

https://cacerts.digicert.com/DigiCertTrustedRootG4.crt to Trusted Root Certification Authorities
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt to Intermediate Certification Authorities

The easiest way to distribute them to numerous endpoints is using Notification Server Connection Profile functionality - it has an ability to transfer certificates to the managed endpoints and install to appropriate certificate stores there:

We are also seeing the same issue.  However, we are not in a position to be able to give all our server estate access to the internet. We can definitely see where the limited number of servers and workstations that do have internet access are working with no issue, guessing as you say, they can perform CRL lookups.  

Hi all,

we have the same issue! installing the new certificate didn't work. Then I saw that we only have issues on the machines that have no internet access. So just enabled internet access for a few minutes, opened a browser to whatever website, closed it and after that patch assessment scan was resolved. could it be an issue caused by CRL lookup?

We ran into this over the last weekend too. You likely need this certificate: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

It looks like they have changed how their signing is being done as of March 2023: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html 

Hi WTargarean!

Probably you have a same symptoms as described in this KB Article:
https://knowledge.broadcom.com/external/article/164743/windows-system-assessment-scan-fails-wit.html

Best regards,
IP.

We have a few servers failing on Windows Patch Assessment. Certs are installed, tried uninstalling and reinstalling the agent. still failing.

attached is a the logs screenshot: