Invalid certificate signature in ConfigMgr Software Update ADR (2309)

Copper Contributor

Hi.

 

We are getting the following error in "PatchDownloader.log" when attempting to download the latest January 2024 CU and feature updates (23H2) for Windows 11 on the site server (through ADR):

 

Authentication of file C:\WINDOWS\TEMP\CAB2BC8.tmp.cab failed, error 0x800b0004.

 

And in ConfigMgr console:

 

Invalid certificate signature (0X80073633)

 

Attempting to download the file manually from a browser on the site server results in "NET::ERR_CERT_COMMON_NAME_INVALID", as it points to an akamai CDN of some sort (this error does NOT appear on other servers\clients). Not sure if this is part of what the site server validate during patch download, but continuing manually past the certificate error in the browser leads to another error:

<h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>0Hlu3ZQAAAAAFiFHUfJk7RI/HjL44V91yU1RPRURHRTEyMTAARWRnZQ==

Is some part of our ConfigMgr-site not validating CDN downloaded cabs after january, or is some part of Microsoft's CDN configured wrong? Or does this CDN possibly have a corrupt version of the file? Can we reset the CDN used by the patch downloader in some way, so it could try a different server?

 

This is one of the cabs in question:

 

http://dl.delivery.mp.microsoft.com/filestreamingservice/files/6154c6f8-b347-4928-8d96-8d185ef53f55/...

 

I have also tried importing the code signing certificate in the CAB-file manually to "Trusted Publishers" and "Trusted Root Certification Authorities", but it has had no effect.

 

Other things I have tried:

 

- Deleting update source files for it to redownload (download does seem fine, maybe only code validation is failing?)

- Flushing DNS on site server and rebooting (in an attempt to change CDN server if that could be the cause).

2 Replies
Any luck with this? I am getting this issue with only some updates. I've had the issue for about a month.

@Fahid-S-Business 

 

Unfortunately not.

 

We moved our client update workload to pure Intune instead, and migrated servers to Azure Arc.

 

Still have to update base Windows-images and M365 apps in ConfigMgr manually, as we still use it for barebone installs and software deployment.