PowerShell Script to Update New Client-Side Certificates for Patch for Windows Servers 9.3

Version 4

    Purpose

     

    We recently started signing deployment files for Patch for Windows Servers 9.3 with SHA256 certificates from Digicert. Deployments to client machines with out of date root certificates will fail. A PowerShell script was created to update the client side root certificates.

     

    With today’s content release (09/07/2017) for Patch for Windows Servers, we will be releasing an updated deployment executable, STDeploy.exe.  The purpose of this updated version is to correct the issue in this document that was created for updating the digicert certificate on target client machines before execution of a deployment.  This will correct the digital certificate verification issues for offline clients or clients that do not have updated root certificates.

     

    Points of interest once we release our new content today:

     

    • The updated STDeploy.exe will be automatically download when performing a Help > Refresh Files or when you automated scheduled downloads are scheduled to run.
    • The updated STDeploy.exe will automatically be copied to the target clients for new deployments after it is updated on the console server.
    • The updated STDeploy.exe will sync to your Distribution Servers at their scheduled time or you can manually initiate the sync in Tools > Options > Distributions Servers.
      • You should ensure you Distribution Servers are synced before your next deployment session.
    • Scheduled Scans with automatic deployment will use the new STDeploy.exe.
    • Scheduled Deployments that were scheduled before the console download the new STDeploy.exe will not use the new version. Subsequent scheduled deployments will.
    • The PowerShell script is no longer needed once this is released.

    Instructions

     

    • The PowerShell script is attached to this document.
    • Our recommendation is to run this from the Ivanti Patch for Windows Servers console against the client workstations/servers.

     

    1. Extract InstallCertificates.zip

    2. Go to the extracted location

    3. Read Disclaimer.txt

    4. Right-Click PowerShell --> Run as administrator

    5. Change directory to the extracted location

    6. Execute the following and note the ExecutionPolicy setting

        Get-ExecutionPolicy

    7. Execute the following in order to run the “PowerShell” script later.

        Set-ExecutionPolicy RemoteSigned

    8. Script Options:

    If you run the script on the problem machine,  Execute:

            .\InstallCertificates.ps1

      If you are running the script from a remote machine, Execute:

            Replace <%MachineName_OR_IPAddress%> with the problem machine name or IP address.

            You have to be logged in as a user that has administrator rights to the remote problem machine.

          

            .\InstallCertificates.ps1 -computerName <%MachineName_OR_IPAddress%>

        If you are running the script from a remote machine, Execute:

            Replace <%MachineListFilePath%> with the fully qualified MachineNameList file path. Example, c:\users\user name\desktop\MachineList.txt

            The file path has to be quoted.

            The Machine List file has to contain one machine name or IP Address per line. See example MachineList.txt file.

            You have to be logged in as a user that has administrator rights to the remote problem machine.

          

            .\InstallCertificates.ps1 -machineListFilePath "<%MachineListFilePath%>"

    9. Revert the ExecutionPolicy by replacing <%Policy%> with the value from step 6 above.

        Set-ExecutionPolicy <%Policy%>

    You may get an error stating “execution of scripts is disabled on this system” You can enable this by:

    set-ExecutionPolicy RemoteSigned

    Affected Product(s)

     

    Ivanti Patch for Windows Server 9.3.x