9 Replies Latest reply on Dec 7, 2015 12:12 PM by cwinning

    File is not signed

    swichowski Rookie

      Im on a disconnected network and all my patches fail to install.    When I look in the Event Viewer It says " Event ID 8197 from source patchmanagement cannot be found."

      File is not signed. C:\Windows\ProPatches\Patches\windows6.1-kb3081320-x64.msu

      It shows this error for every patch.

       

      I updated all the data files, and downloaded the patches again.

        • 1. Re: File is not signed
          cwinning CommunityTeam

          Hello,

           

          Apologies for the late reply, I was out of the and it appears this post was missed.  Event ID 8197 refers to various Microsoft Exchange issues so I'm not sure how it would relate to a non-Exchange patch. odd.

           

          The 'File is not signed' error on the other hand would indicate either the patch isn't completely downloaded or the target machine's OS (or on the disconnected Protect server) can't verify the Digital Signature of the patch.  An outdated root certificate would be suspect #1, but it's also possible the patches are set to 'blocked' if you are manually copying them to the disconnected network.

           

          • Very the patches are not 'blocked' by right-clicking on the patch and going into Properties.  The patch is 'blocked' if you see an 'Unblock Button' in the General tab.  You will need to unblock all the patches if this is the case.
          • You could update the root certificates on all of your offline machines.

           

          Thanks,

          Charles

          • 2. Re: File is not signed
            swichowski Rookie

            Charles,

             

            The files are unblocked and we did update the root certificates.     It is weird because it only does this for Microsoft Win7 security patches.  Flash, java and other patches deploy fine. I can go to the propatches folder and manually run the files.        I also downloaded all new patches and deleted old ones.   Updated all files in the data files folder.

             

            Thank you for your help.

            Steve

            • 3. Re: File is not signed
              cwinning CommunityTeam

              Steve,

               

              I think whatever the issue is, it's going to be specific to the machines or the OS's. 

               

              Is this a recent issue?

              Do these machines have a different GPO than the one's that work?

              Did t his ever work on these machines?

              Is the Windows Update service disabled on the targets?

               

              Do you see any oddness  when you view the certificate information for the patches?

               

               

              Thanks,

              Charles

              • 4. Re: File is not signed
                swichowski Rookie

                Charles,

                 

                This issue started about 2 weeks ago..    No the Windows Update service is not blocked.  I rechecked the certs and they look good.

                 

                Even when I put a computer in the no policy's group it does this

                 

                In the cl5.log I get the following error when trying to install any patch
                wintrustverifier . cpp 271 certificate verification failed with error -2146762748


                I just noticed if I open services on a computer I am trying to patch and tell the st remote scheduler service to logon using a different account and not use the local service account the patches will install.


                Thank you

                Steve



                 

                • 5. Re: File is not signed
                  cwinning CommunityTeam

                  Hello,

                   

                  Without a full set of logs, here is a brain-dump from what I know and have seen in the past:


                  • The Local System account was locked down.
                  • The Local System account doesn't have full control permissions to C:\ProgramData\Microsoft\Crypto\RSA and C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18  (most likely)
                  • The root certificate is out of date.

                   

                  It this doesn't help, we're going to need a case so we can take a look at logs and possibly a WebEx.

                   

                  Thanks,

                  Charles

                  • 6. Re: File is not signed
                    swichowski Rookie
                    • The Local System account was locked down.


                    • What permissions are required for this account
                    • 7. Re: File is not signed
                      cwinning CommunityTeam

                      Hello,

                       

                      We don't have a list for the Local System account readily available.  Try adding full control permissions for the system account to C:\ProgramData\Microsoft\Crypto\RSA and C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 on one of the targets to see if that does it.


                      Thanks,

                      Charles

                      • 8. Re: File is not signed
                        swichowski Rookie

                        I did that and it did not fix the problem.

                        • 9. Re: File is not signed
                          cwinning CommunityTeam

                          Hello,

                           

                          I asked around the R&D area an no one has a list of what permissions are needed other than 'it shouldn't be locked down.  Not very helpful. ☺

                           

                          Any chance you can track down how it was locked down?

                          Are you able to compare between a working and non-working machine?

                           

                          Thanks,

                          Charles