Symptoms
You attempt to install an agent (manually or from the console) and it fails after the registration process, you open the Agent GUI but no policy is applied.
Error found in STDispatch.log on the agent machine: C:\ProgramData\LANDesk\Shavlik Protect\Logs
CryptDigestUtils.cpp:158 The certificate chain is not complete.
AuthenticodeVerifier.cpp:178 The Authenticode(r) digital signature could not be verified.
AuthenticodeVerifier.cpp:201 File not signed by any expected issuer or subject.
CommandLineTask.cpp:214 Invalid executable 'C:\Program Files\LANDESK\Shavlik Protect Agent\STAgentUpdater.exe'. Application is not trusted.
Dispatcher.cpp:197 Duplicate call to complete task: 5c19a2c9-1f90-4015-b3e6-455f1fb7b435
Dispatcher.cpp:237 DispatchTaskById: b443f8a1-8af5-4f43-8537-467648fecc4c 9d77c15b-2685-4223-8c50-17e989367eb0 tasks/3B71457B-43E3-41F9-ABED-C7D44435DC0E.txt
CryptDigestUtils.cpp:158 The certificate chain is not complete.
AuthenticodeVerifier.cpp:178 The Authenticode(r) digital signature could not be verified.
AuthenticodeVerifier.cpp:201 File not signed by any expected issuer or subject.
CommandLineTask.cpp:214 Invalid executable 'C:\Program Files\LANDESK\Shavlik Protect Agent\STAgentUpdater.exe'. Application is not trusted.
Cause
This error can be caused if the machine's root certificate are outdated or if during a manual installation, the account is use does not have the permissions on the MachineKeys folder : C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
Resolution
- To resolve this issue the root certificates of the client (agent) machine must be updated. You can apply the updates using Protect.
To Apply the Updates:
- Create a custom patch scan template that includes the patch type filter Security Tools.
- Run a scan on the target machine and then look for the bulletins MSRC-001 or MSRC-002.
Related Document:How to Find/Exclude Specific Patches in Scan Results.
MSRC-001 is for Windows XP and 2003. For newer operating systems, such as Vista, 2008, and Windows 7, the root certificates are automatically updated if the machine is connected to the Internet. However, if you have to apply the update manually, you should be able to deploy MSRC-002 from Protect.
You cannot update root certificates on operating systems that are not within the Microsoft support lifecycle. Ensure that you are using a supported operating system and service pack level.
In the event the computer is not connected to the internet to automatically update these files they must be downloaded/distributed manually. Though Protect designates 2 different Bulletin Id's for root certificates (MSRC-001 & MSRC-002), they both use the same patch from Microsoft. If root certificates need to be installed, but protect is unable to do so, download the patch directly from Microsoft and run.
Download Here
When you run the exe, it will run and vanish. It will not give a completion message.
Patch states it is for XP, but if you read the article below under the section "Root update package installation on disconnected environments" it states it works on other OS's as well.
Microsoft Article:Windows Root Certificate Program members
- To resolve the issue in regards to the MachineKeys folder, navigate to that folder and from the Properties > Security, give the permission associated to your user.
Affected Products
Shavlik Protect 9.x