Update: 8/14/2007 4:00 pm
KB 941440 has been published for this issue. Please reference the KB for more complete information regarding this issue.
You may access the KB via this link: http://support.microsoft.com/kb/941440/en-us
With the pending deployment of the August Cab file an issue has been identified for Windows 2000 systems which did not receive the Root Certificate Update originally released in September of 2006 through the Windows Update site. Those Windows 2000 systems without this Root Certificate Update will not be able to scan against the valid CAB file for August.
Because this update was not released as a Security Update, Update Rollup, or Service Pack it was not of an update type distributed by the ITMU tool.
The following sequence may be observed in the affected Clients WindowsUpdate.log:
2007-08-11 13:05:22:291 652 4e0 Misc WARNING: Error: 0x800b0109 when verifying trust for D:\WINNT\SoftwareDistribution\ScanFile\498d12b1-5a70-4bf4-af7a-161e9c458e46\Source.cab
2007-08-11 13:05:22:291 652 4e0 Misc WARNING: Digital Signatures on file D:\WINNT\SoftwareDistribution\ScanFile\498d12b1-5a70-4bf4-af7a-161e9c458e46\Source.cab are not trusted: Error 0x800b0109
2007-08-11 13:05:22:291 652 4e0 OfflSnc WARNING: failed to verify signature for offline cab. hr = 0x800b0109
2007-08-11 13:05:22:501 652 4e0 PT WARNING: PTError: 0x800b0109
2007-08-11 13:05:22:501 652 4e0 Agent WARNING: WU client fails CClientCallRecorder::OpenOfflineSyncSource with error 0x800b0109
2007-08-11 13:05:22:501 1128 4a4 COMAPI WARNING: ISusInternal::OpenOfflineSyncSource failed, hr=800B0109
Cause:This issue occurs when the Windows 2000 clients lack the Root Certificate Update necessary to read the August or subsequent months CAB file which is leveraged by the ITMU. This issue only affects Windows 2000 systems without this update. This does not affect Windows XP, Windows 2003 or Windows Vista systems.
What you need to do:
To ensure your Windows 2000 system are able to utilize the August and subsequent wsusscn2.cab file:
· Download and then distribute via Software Distribution the Root Certificate Update to your Windows 2000 clients before leveraging SMS with ITMU for August Patch Compliance.
1) Download the update from the Microsoft Update Catalog which you can find here. (http://catalog.update.microsoft.com/v7/site/Home.aspx)
a) In the search box enter the updateID: d1b4fccb-384d-489e-a709-845116887f36
b) Add the Root Certificates Update to your basket and then view the basket and download. You can click on the Root Certificates Update itself to access details about it.
2) Distribute the Root Certificate update via Software Distribution to your Windows 2000 Clients.
a) Create a standard Software Distribution Package using the downloaded Update as the source file.
b) The command line should be the downloaded executable: X86-all-rootsupd_fe44934fd80dd11fec2f0f9b24431658a4f6d589.exe /q:a /r:n The noted switches are those taken from the XML file utilized when installing directly from Windows Update.
c) The installation is silent and does not require a reboot.
d) It is preferable to target only your Windows 2000 clients however distribution to non 2000 clients should not be problematic. Windows XP and later Operating Systems already have the updated Root Certificate List in place.
· The installation process produces no logs of its own so you will need to rely upon the SMS Clients logs or the Advertisement and Package status messages.
Once this update has been deployed your Windows 2000 clients will be ready to scan against the August and subsequent ITMU leveraged cab files.
Source With the pending deployment of the August Cab file an issue has been identified for Windows 2000
Didn't have this issue on a W2KSP4 computer sitting just in front of me. It received the brand new version of the cab file yesterday, it was signed with the same certificate and the cert for the root authority didn't change as well (same thumbprint).
Nothing in the ITMU log indicate that there was an issue during the scan.
The new root cert wasn't installed on this machine, the reg key described in the MS note is not present on the machine.
Looking on my XPSP2 machine I can find a MS root cert that doesn't exist on the W2K machine and that is included in the X86-all-rootsupd_fe44934fd80dd11fec2f0f9b24431658a4f6d589.exe package.
The thumbprint for this cert is cd d4 ee ae 60 00 ac 7f 40 c3 80 2c 17 1e 30 14 80 30 c0 72.
Excerpt from Scanwrapper.log file:
Processing ["C:\WINNT\system32\VPCache\DCC0003B\SmsWusHandler.exe" /Catalog:C:\WINNT\system32\VPCache\DCC0003B\wsusscn2.cab /OutputXml:C:\WINNT\system32\VPCache\DCC0003B\Results.xml] with CurrentDir=[C:\WINNT\system32\VPCache\DCC0003B] Software Updates Scan Tool 8/15/2007 1:00:07 PM 2380 (0x094C)
Patch information from C:\WINNT\system32\VPCache\DCC0003B\Results.xml - Software Updates Scan Tool 8/15/2007 1:01:52 PM 2380 (0x094C)
Product = Windows 2000, BulletinTitle = Security Update for Internet Explorer 6 Service Pack 1 (KB938127) Software Updates Scan Tool 8/15/2007 1:01:52 PM 2380 (0x094C)
Added new Win32_ScanPackageVersion instance with ID=DCC0003B, Ver=63, Type=Microsoft Update, Time=20070815130158.000000+*** Software Updates Scan Tool 8/15/2007 1:01:58 PM 2380 (0x094C)
Scan process complete. Software Updates Scan Tool 8/15/2007 1:01:58 PM 2380 (0x094C)
Does anyone confirm that he's got this issue ?