Patch Knowledge Base (KB) update process fails or Patch inventory is not updated for Devices.

When Patch KB update process fails following information can be seen in Patch Manager module log :

2019/07/19 10:13:44 PatchManagementPremium           I   [10044] Running software update (remote)
2019/07/19 10:13:46 PatchManagementPremium           ERR [10044] Failed to update Patch knowledge base. Check first if all certificates are correctly installed.

For Patch Inventory issue, following information will appear in BCM Client log files when Patch Inventory is processed :

2019/07/19 10:33:50 PatchManagementPremium           I   [10044] Scanning using software update '2.0.2.7996'
2019/07/19 10:33:50 PatchManagementPremium           ERR [10044] Scan error (5)       or   Scan error (3)       or   Scan error (10)
2019/07/19 10:33:50 PatchManagementPremium           ERR [10044] Failed to scan machine. Check first if all certificates are correctly installed.

Following message in case of patch installation attempt :

2017/10/27 12:17:28 PatchManagementPremium           W   [3848] Package error (5)

Below video shares instructions on verifying the system certificate on the target device for patch inventory.



Below videos share steps on updating the Patch Knowledge Base on the Patch Manager for BCM 21.02 and earlier

Update April 2023:

Many BCM Customer reported that they have started facing issues with the Patch Knowledge bases updates are failing to download and the Patch Jobs stuck in execution pending. All these issues are due to the missing certificates.

• IVANTI recently changed their singing certificate, so if Devices are not connected to the Internet, Devices will need to have their certificates manually updated.
• The solution is to import the new certificates DigiCert Trusted G4 Code Signing RSA4090 SHA384 2021 CA1 and DigiCert Trusted Root G4 in Intermediate and Trusted authority in order to fix the Patch Inventory and KB issues. The InstallCertificateV5.zip can be used to fix this issue. (Article is updated accordingly to new instructions)

There are couple of Methods to manually verify system certificates. like Installing the Certificates via Internet Explorer, MMC console or by using the GPO and an operational rule.

Method 1: Internet Explorer

Verify in system certificates list that following certificates are present, valid and have an SHA 256 signature.
If one of them is missing then cause of this issue is found :

In 'Intermediate Certification Authorities' tab:

• DigiCert SHA2 Assured ID Code Signing CA
• DigiCert Trusted G4 Code Signing RSA4090 SHA384 2021 CA1

In 'Trusted Root Certification Authorities' tab :

• DigiCert Assured ID Root CA
• DigiCert Trusted Root G4
• VeriSign Class 3 Public Primary Certification Authority - G5

If one of them is missing it can be downloaded from the attached InstallCertificates_V5.zip file. It contains certificates and a Power script to install them.

Method 2: MMC

1. Click Start -> Run -> Enter 'MMC' and click 'OK'



2. Click File -> Add/Remove Snap-In...




3. Add Certificate



4. Select 'Computer Account' option and click 'Next'



5. Select Local Computer and Finish



6. Verify certificate is added in the selected snap-ins and then click 'OK'



7. Start to import Trusted Root Certificate



8. Click Next



9. Select downloaded Certificate file




10. Verify the location and click Next



11. Click Finish



12. Import is complete click 'OK'



13. Verify the imported certificate under:
In 'Trusted Root Certification Authorities' tab and  'Intermediate Certification Authorities' tab. 

Screenshot of Trusted Certification Authorities:



Screenshot of Intermediate Certification Authorities




After importing all certificates, run the operational rule "Analyze patch Situation" against the device and check if the inventory is updated. If it still does not populate, logout from the BCM console and login again.
Sometimes, the machine may need to be restarted after importing the certificates.

Note:  

• In certain scenarios, even if all the required system certificates are present on the device, the patch inventory scan still fails with "Scan error 5"
• In such cases, re-import all the system certificates again and then run the patch inventory operational rule to collect the patch inventory : Client Management: How to request an immediate patch inventory? - INCLUDES VIDEO 
• Another scenario, even if all the required system certificates are present on the device when updating patch knowledge base on patch manager we see ERR [10044] Failed to update Patch knowledge base. Check first if all certificates are correctly installed
• Then implement below steps:
• Delete the contents of folder ..Master\Data\PatchManagementPremium\Workspace\ on Master
• Then perform the update from Patch Manager -> Configuration -> Update, this will help in updating Patch knowledge base without any issue

Method 3: via Group Policy Object

To install the certificate on domain computers Group Policy method can be used

1. On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in

2. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside

3. Right-click the GPO, and then click Edit

4. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import
   
   

5. On the Welcome to the Certificate Import Wizard page, click Next. (Similar steps used while importing on computers in Method 2)

6. On the File to Import page, type the path to the appropriate certificate files (For example: C:\Certificates\DigiCert SHA2 Assured ID Code Signing CA_CA.cer), and then click Next

7. On the Certificate Store page, click Place all certificates in the following store, and then click Next

8. On the Completing the Certificate Import Wizard page, verify that provided information is accurate, and then click Finish

Verify all the certificates are imported.
In 'Trusted Root Certification Authorities' tab.
In 'Intermediate Certification Authorities' tab. 

Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.

Source: Distribute Certificates to Client Computers by Using Group Policy

Once manual certificates installation solves this incident, following document will help to create an operational rule that applies those certificates on devices.

Method 4: Using an Operational Rule

How to use BCM to Deploy Certificates if Patch Management shows "Scan Error 5"
For this mentioned rule download the InstallCertificateV5.zip for deploying the certificates from this article.


Method 5: Import the " latest SHA 256 certificates " 

This package contains both the certificate and the PowerShell command to import the required certificates
Follow Client Management: How to export and import objects in the console - INCLUDES VIDEO to import both and run it against the problem devices