How to use BCM to Deploy Required Certificates if Patch Management shows "Scan Error 5"

Version 2
    Share This:

    Due to Symantec's purchase of Verisign these updated SHA 256 Certs must be installed on endpoints if you are behind on Windows Patching.

     

    1 - Open KA Client Management - Patch KB can not be updated or Patch Inventory can not be generated because some certificates are missing or out of date (error 5) and download the attachment at the very bottom of the article and unzip file.

     

    2 - Create Package and name it "SHA 256 Certificates". I removed all files in the root folder except the ps1 file just to keep it clean. When you add files to the package select the folder "Certificates"

                      

    * Folder Structure must be Certificates/Certificates

    * Package Destination = C:\BCM

    * Leave Run field blank

                  

    3 - Import the attached file (Operational Rule at bottom of this article). Once imported it will be located in Lost and Found. Copy and then Paste in the Operational Rules Module and the folder of your choice.

    4 - If your package is not automatically added during the import process make sure you add it at this time and move to Step 2.

                       

    5 - Verify your Op Rule looks like the image above before you test it. Assign to any test device even if the certs are already installed.

         * If you need to run a PowerShell Script using Client Management add step to "Execute Program" and enter PowerShell -ExecutionPolicy ByPass -File "location of ps1 file"

    6 - Navigate to test device's C:\BCM\Certificates and a new log file has been created. Review the log to ensure PowerShell script ran properly. Below is the log from my device:

     

    InstallCertificates_Trace.log

    2018-09-07T08:34:31.1983036z #######################################
    2018-09-07T08:34:31.2227161z Version: 1.0.0.3
    2018-09-07T08:34:31.2266221z
    2018-09-07T08:34:31.2315046z $computerName: GIBBS003
    2018-09-07T08:34:31.2363871z $machineListFilePath:
    2018-09-07T08:34:31.2412696z $certFolder: C:\BCM\Certificates\Certificates
    2018-09-07T08:34:31.2451756z #######################################
    2018-09-07T08:34:31.2510346z
    2018-09-07T08:34:31.3398961z Going to import the following certificate:
    2018-09-07T08:34:31.3447786z  Description: DigiCert Assured ID Root CA
    2018-09-07T08:34:31.3486846z  Certificate Store: Root
    2018-09-07T08:34:31.3525906z  Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
    2018-09-07T08:34:31.3574731z
    2018-09-07T08:34:31.3652851z Going to import the following certificate:
    2018-09-07T08:34:31.3691911z  Description: DigiCert SHA2 Assured ID Code Signing CA
    2018-09-07T08:34:31.3740736z  Certificate Store: CA
    2018-09-07T08:34:31.3779796z  Thumbprint: 92C1588E85AF2201CE7915E8538B492F605B80C6
    2018-09-07T08:34:31.3828621z
    2018-09-07T08:34:31.4053216z globalsign contains an invalid certificate store: [Subject]
      CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

    [Issuer]
      CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

    [Serial Number]
      040000000001154B5AC394

    [Not Before]
      9/1/1998 8:00:00 AM

    [Not After]
      1/28/2028 7:00:00 AM

    [Thumbprint]
      B1BC968BD4F49D622AA89A81F2150152A41D829C

    Unable to load globalsign's certificate
    2018-09-07T08:34:31.4258281z Starfield Root Certificate Authority - G2 contains an invalid certificate store: [Subject]
      CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

    [Issuer]
      CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

    [Serial Number]
      00

    [Not Before]
      8/31/2009 8:00:00 PM

    [Not After]
      12/31/2037 6:59:59 PM

    [Thumbprint]
      B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E

    Unable to load Starfield Root Certificate Authority - G2's certificate
    2018-09-07T08:34:31.4414521z Going to import the following certificate:
    2018-09-07T08:34:31.4463346z  Description: VeriSign Class 3 Code Signing 2010 CA
    2018-09-07T08:34:31.4502406z  Certificate Store: CA
    2018-09-07T08:34:31.4560996z  Thumbprint: 495847A93187CFB8C71F840CB7B41497AD95C64F
    2018-09-07T08:34:31.4600056z
    2018-09-07T08:34:31.4687941z Going to import the following certificate:
    2018-09-07T08:34:31.4727001z  Description: VeriSign Class 3 Public Primary Certification Authority - G5
    2018-09-07T08:34:31.4775826z  Certificate Store: Root
    2018-09-07T08:34:31.4824651z  Thumbprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
    2018-09-07T08:34:31.4863711z
    2018-09-07T08:34:31.4971126z Processing individual Computer
    2018-09-07T08:34:31.5068776z ******************************
    2018-09-07T08:34:31.5166426z    Processing GIBBS003 - Started
    2018-09-07T08:34:31.5264076z ******************************
    2018-09-07T08:34:31.5351961z
    2018-09-07T08:34:31.5410551z  Attempting to import: DigiCert Assured ID Root CA
    2018-09-07T08:34:31.5508201z  $storeNamePath: \\GIBBS003\Root
    2018-09-07T08:34:31.6172221z  DigiCert Assured ID Root CA was found. Not importing certificate
    2018-09-07T08:34:31.6269871z
    2018-09-07T08:34:31.6328461z  Attempting to import: DigiCert SHA2 Assured ID Code Signing CA
    2018-09-07T08:34:31.6416346z  $storeNamePath: \\GIBBS003\CA
    2018-09-07T08:34:31.6513996z  DigiCert SHA2 Assured ID Code Signing CA was found. Not importing certificate
    2018-09-07T08:34:31.6601881z
    2018-09-07T08:34:31.6660471z  Attempting to import: VeriSign Class 3 Code Signing 2010 CA
    2018-09-07T08:34:31.6748356z  $storeNamePath: \\GIBBS003\CA
    2018-09-07T08:34:31.6826476z  VeriSign Class 3 Code Signing 2010 CA was NOT found. Importing certificate
    2018-09-07T08:34:31.7060836z  Successfully added VeriSign Class 3 Code Signing 2010 CA
    2018-09-07T08:34:31.7148721z
    2018-09-07T08:34:31.7207311z  Attempting to import: VeriSign Class 3 Public Primary Certification Authority - G5
    2018-09-07T08:34:31.7295196z  $storeNamePath: \\GIBBS003\Root
    2018-09-07T08:34:31.7441671z  VeriSign Class 3 Public Primary Certification Authority - G5 was found. Not importing certificate
    2018-09-07T08:34:31.7539321z
    2018-09-07T08:34:31.7959216z ******************************
    2018-09-07T08:34:31.8066631z    Processing GIBBS003 - End
    2018-09-07T08:34:31.8154516z ******************************
    2018-09-07T08:34:31.8232636z
    2018-09-07T08:34:31.8291226z #######################################
    2018-09-07T08:34:31.8340051z              End             
    2018-09-07T08:34:31.8388876z #######################################
    2018-09-07T08:34:31.8427936z

     

    7 -  After you test and verify you may wish to add a reboot step and or a Directory clean up step to remove those source files. A reboot will be required in order to get those certs applied and Patch Management inventory scan to work properly.

     

    The benefit of using this PowerShell script is it will look for already installed certs before trying to install them and you get this log file that allows feedback from this process.