SMS 2003 ITMU may fail to scan for update compliance on Windows 2000 Systems.

Update: 8/14/2007 4:00 pm

KB 941440 has been published for this issue. Please reference the KB for more complete information regarding this issue.

You may access the KB via this link: https://support.microsoft.com/kb/941440/en-us

 Original post:

With the pending deployment of the August Cab file an issue has been identified for Windows 2000 systems which did not receive the Root Certificate Update originally released in September of 2006 through the Windows Update site. Those Windows 2000 systems without this Root Certificate Update will not be able to scan against the valid CAB file for August.

Because this update was not released as a Security Update, Update Rollup, or Service Pack it was not of an update type distributed by the ITMU tool.

Symptoms.

The following sequence may be observed in the affected Clients WindowsUpdate.log:

2007-08-11 13:05:22:291 652 4e0 Misc WARNING: Error: 0x800b0109 when verifying trust for D:\WINNT\SoftwareDistribution\ScanFile\498d12b1-5a70-4bf4-af7a-161e9c458e46\Source.cab

2007-08-11 13:05:22:291 652 4e0 Misc WARNING: Digital Signatures on file D:\WINNT\SoftwareDistribution\ScanFile\498d12b1-5a70-4bf4-af7a-161e9c458e46\Source.cab are not trusted: Error 0x800b0109

2007-08-11 13:05:22:291 652 4e0 OfflSnc WARNING: failed to verify signature for offline cab. hr = 0x800b0109

2007-08-11 13:05:22:501 652 4e0 PT WARNING: PTError: 0x800b0109

2007-08-11 13:05:22:501 652 4e0 Agent WARNING: WU client fails CClientCallRecorder::OpenOfflineSyncSource with error 0x800b0109

2007-08-11 13:05:22:501 1128 4a4 COMAPI WARNING: ISusInternal::OpenOfflineSyncSource failed, hr=800B0109

Cause:
This issue occurs when the Windows 2000 clients lack the Root Certificate Update necessary to read the August or subsequent months CAB file which is leveraged by the ITMU. This issue only affects Windows 2000 systems without this update. This does not affect Windows XP, Windows 2003 or Windows Vista systems.

 

What you need to do:

To ensure your Windows 2000 system are able to utilize the August and subsequent wsusscn2.cab file:

· Download and then distribute via Software Distribution the Root Certificate Update to your Windows 2000 clients before leveraging SMS with ITMU for August Patch Compliance.

1)  Download the update from the Microsoft Update Catalog which you can find here. (https://catalog.update.microsoft.com/v7/site/Home.aspx)

a) In the search box enter the updateID: d1b4fccb-384d-489e-a709-845116887f36

b) Add the Root Certificates Update to your basket and then viewthe basket and download. You can click on the Root Certificates Update itself to access details about it.

 

2) Distribute the Root Certificate update via Software Distribution to your Windows 2000 Clients.

a) Create a standard Software Distribution Package using the downloaded Update as the source file.

b) The command line should be the downloaded executable: X86-all-rootsupd_fe44934fd80dd11fec2f0f9b24431658a4f6d589.exe /q:a /r:n The noted switches are those taken from the XML file utilized when installing directly from Windows Update.

c) The installation is silent and does not require a reboot.

d) It is preferable to target only your Windows 2000 clients however distribution to non 2000 clients should not be problematic. Windows XP and later Operating Systems already have the updated Root Certificate List in place.

· The installation process produces no logs of its own so you will need to rely upon the SMS Clients logs or the Advertisement and Package status messages.

Once this update has been deployed your Windows 2000 clients will be ready to scan against the August and subsequent ITMU leveraged cab files.