An error occurred while extracting the certificate from WSUS: Access is denied
Topics covered in this article:
Determine if You are Affected
Publishing may fail on Server 2012 / 2016 with the following error message in the PatchMyPC.log:
An error occurred while extracting the certificate from WSUS: C:\Users\Username\AppData\Local\Temp\PMP-tempfolder\randomfolder.tmp : Access is denied
Failed to extract the certificate from WSUS Message
This error can be caused by a lack of permissions on the WSUSCertServer Service.
Workaround
- Add the Computer account of the Server that the Patch My PC Publisher is installed to the “WSUS Administrators” Group
- Open Regedit and navigate to “HKEY_CLASSES_ROOT\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B}”
- Right Click that key, select Permissions, then click Advanced.
- At the top of the Advanced Permissions window, change the Owner to “WSUS Administrators” and Click OK
- While in this properties window, also ensure that Administrations and SYSTEM have full control of that registry key
- In order to complete this step “Administrators” may need to be made the owner before adding the “Full Control” permissions. Once the “Full Control” permissions are added, set the owner back to “WSUS Administrators”
- In order to complete this step “Administrators” may need to be made the owner before adding the “Full Control” permissions. Once the “Full Control” permissions are added, set the owner back to “WSUS Administrators”
- Start dcomcnfg.exe as Administrator
- In the Tree select “Component Services” ->”My Computer” -> “DCOM Config”
- Scroll down and right click on WSusCertServer and click “Properties”, and navigate to the “Security” Tab
- Click “Customize” under “Launch and Activation Permissions” then click “Edit”
- Ensure “Local Launch”, “Remote Launch”, “Local Activation”, and “Remote Activation” are enabled for the following accounts: “WSUS Administrators”, “SYSTEM”, and “Administrators”
- Ensure “Local Launch”, “Remote Launch”, “Local Activation”, and “Remote Activation” are enabled for the following accounts: “WSUS Administrators”, “SYSTEM”, and “Administrators”
- Click “Customize” under “Access Permissions” then click “Edit”
- Ensure “Local Access” and “Remote Access” are enabled for the following accounts: “WSUS Administrators”, “SYSTEM”, and “Administrators”
- Ensure “Local Access” and “Remote Access” are enabled for the following accounts: “WSUS Administrators”, “SYSTEM”, and “Administrators”
- Click “Customize” under “”Configuration Permissions” then click “Edit”
- Ensure the following accounts have “Full Control”: “WSUS Administrators”, “SYSTEM”, and “Administrators”
- Ensure the following accounts have “Full Control”: “WSUS Administrators”, “SYSTEM”, and “Administrators”
- Restart the WSUSCertServer Service from Services.msc
Published On December 02, 2021