Skip to main content



Patch Management scan error 1627

Sometimes, after deploying Patch Management in your infrastructure, Patch Scan tasks may fail with error code 1627 on Windows endpoints.

This error code, received upon the task failing, is related to missing certificates on the target machines.

The solution, presented in the troubleshooting steps below, is to export the certificates from an endpoint where Patch Scan tasks work properly and to import them on the machines that are failing.

  1. Certificates

    The specific certificates are the following:

    • DigiCert Assured ID Root CA (found in Trusted Root Certification Authorities)

    • DigiCert SHA2 Assured ID Code Signing CA (found in Intermediate Certification Authorities)

  2. Accessing Local Machine Certificates Store

    You can find the above certificates in the Local Machine Certificates Store, not in the Local User Certificates Store.

    • For Windows 8.1 and above, you may access this store by running the command certlm.msc

    • For Windows 7, you will need to create a new snap-in as described below:

      1. Start → Run: mmc.exe

      2. Menu: FileAdd/Remove Snap-in…

      3. Under Available snap-ins, select Certificates and press Add.

      4. Select Computer Account for the certificates to manage. Press Next

      5. Select Local Computer and press Finish.


        Press OK to return to the management console.

  3. Exporting certificates

    Once you locate the two certificates on one of the machines where Patch Scan is working properly, you will need to export them:

  4. Importing certificates

    After exporting the two certificates and copying them over to the machine where Patch Scan task is failing, you will need to import them.



    Please make sure to import the certificates in the Local Machine Certificates Store and in their proper locations:

    • DigiCert Assured ID Root CA → Trusted Root Certification Authorities

    • DigiCert SHA2 Assured ID Code Signing CA → Intermediate Certification Authorities

  5. Alternative method

    A different method to import the certificates is by using the two commands below:

    • For DigiCert Assured ID Root CA

      certutil -addstore "Root" "< path_to_root_certificate >"

    • For DigiCert SHA2 Assured ID Code Signing CA

      certutil -addstore "CA" "< path_to_intermediate_certificate >"


    This method is useful if you have multiple endpoints with the issue described and you need to automatically import certificates via script.

    Make sure to run the commands above in Command Line with administrative rights.

Video tutorial

You can watch a video tutorial on the topic here.