2 Replies Latest reply on May 13, 2015 12:59 AM by robertklockhart

    Custom Deployment for offline network




      I have an offline deployment of several networked servers and have a bizarre issue. Scans and file copies work great, but cannot install Windows security patches. All 3rd party patches install fine. When I attempt a Windows security patch, the cl5 log has the following 2 lines:

      CommandLine.cpp:1140 Entering CMD_CHECK_MS_SIGNATURE

      WinTrustVerifier.cpp:271 Certificate verification failed with error: -2146762748


      Question, is there a way in a custom deployment template to add a custom action to define this CMD_CHECK_MS_SIGNATURE as either disabled or another value such that the signature check is disabled?

      The servers in my offline network are locked down hard and don't have the option to do any external checks.


      I have already attempted a custom template with these two actions to see if an elevated process might overlook the cert check, but issue persists:

      wmic process where name="TrustedInstaller.exe" CALL setpriority 128

      wmic process where name="msiexec.exe" CALL setpriority 128


      Importing in the latest CRL's is already done, but no change in Shavlik patch issue.


      Thank you for any suggestions

        • 1. Re: Custom Deployment for offline network
          cwinning CommunityTeam



          Normally, the root certificate update corrects this issue, but it's possible something else is locked down preventing the check too.  Digital Signature verification for Microsoft patches is hard coded and cannot be bypassed.


          Things to look at or try:


          1.  Are you able to see a valid digital signature on the patches being copied to the target machines?

          2.  Are theses patches blocked?  You can verify this by going into the properties of the patches and look for an 'Unblock' button in the General tab.

          3.  Does the Local System account have full control over the Machine Keys folder, sub-folder and files within it?  Is the System account locked down?


          Let me know what you see.




          • 2. Re: Custom Deployment for offline network

            cwinning, Thanks for the reply. For anyone else having this issue, setting the Wintrust registry setting for HKCU to 23c00 on the server with Shavlik Protect installed resolved the issue.

            The full key is this: "HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" the change state from 10000 to 23c00.