Skip to main content

ON PREMISES SOLUTIONS

Troubleshooting

Patch Management scan error 1627

Sometimes, after deploying Patch Management in your infrastructure, Patch Scan tasks may fail with error code 1627 on Windows endpoints.

This error code, received upon the task failing, is related to missing certificates on the target machines.

The solution, presented in the troubleshooting steps below, is to export the certificates from an endpoint where Patch Scan tasks work properly and to import them on the machines that are failing.

  1. Certificates

    The specific certificates are the following:

    • DigiCert Assured ID Root CA (found in Trusted Root Certification Authorities)

      15555_1.png

    • DigiCert SHA2 Assured ID Code Signing CA (found in Intermediate Certification Authorities)

      15555_2.png

  2. Accessing Local Machine Certificates Store

    You can find the above certificates in the Local Machine Certificates Store, not in the Local User Certificates Store.

    • For Windows 8.1 and above, you may access this store by running the command certlm.msc

      15555_3.png

    • For Windows 7, you will need to create a new snap-in as described below:

      1. Start → Run: mmc.exe

        15555_4.png

      2. Menu: FileAdd/Remove Snap-in…

        15555_5.png

      3. Under Available snap-ins, select Certificates and press Add.

        15555_6.png

      4. Select Computer Account for the certificates to manage. Press Next

        15555_7.png

      5. Select Local Computer and press Finish.

        15555_8.png

        Press OK to return to the management console.

  3. Exporting certificates

    Once you locate the two certificates on one of the machines where Patch Scan is working properly, you will need to export them:

    15555_9.png

  4. Importing certificates

    After exporting the two certificates and copying them over to the machine where Patch Scan task is failing, you will need to import them.

    15555_10.png

    Note

    Please make sure to import the certificates in the Local Machine Certificates Store and in their proper locations:

    • DigiCert Assured ID Root CA → Trusted Root Certification Authorities

    • DigiCert SHA2 Assured ID Code Signing CA → Intermediate Certification Authorities

  5. Alternative method

    A different method to import the certificates is by using the two commands below:

    • For DigiCert Assured ID Root CA

      certutil -addstore "Root" "< path_to_root_certificate >"

    • For DigiCert SHA2 Assured ID Code Signing CA

      certutil -addstore "CA" "< path_to_intermediate_certificate >"

    Note

    This method is useful if you have multiple endpoints with the issue described and you need to automatically import certificates via script.

    Make sure to run the commands above in Command Line with administrative rights.

Video tutorial

You can watch a video tutorial on the topic here.

In this section: