Agent and console startup

Last modified by Steffi F on 2025/05/05 13:38
Content

In rare cases, after upgrading to version 6.5, the ACMP agent or console may fail to start.

The following section lists the possible causes of the failure and provides suggestions for troubleshooting. You will then learn what solutions are available for the error so that the Agent or Console can start again without errors.

Error: The console or agent fails to start after upgrading to ACMP version 6.5.

Initial situation

ACMP version 6.5.0 now includes certificate validation. This means that systems with outdated certificates will prevent the ACMP Console or ACMP Agent from starting after updating to 6.5.0. If this is the case for you, the reasons may be an outdated root certificate, an untrusted root certificate classification, or an outdated cross-signature.

If you have experienced one of these problems, it may be because of a group policy that prevents automatic certificate updates.

Here we explain how to check in advance whether the startup problem is due to invalid certificates and how to change the group policy that prevents automatic certificate updates, if necessary. We also show you a manual solution that allows you to export certificates from a device with valid certificates and import them to the affected system.

Hinweis  Note:  

If the agent service doesn't start, check the event log for any missing or invalid certificates. The event log will contain the following message: There was a problem verifying the signature when loading "%file%". Stop the process.

Follow these steps:

Solution 1: Check the certificates to make sure they are valid.

1. Go to the ACMP Client folder, which is located in the Program Files (x86) folder, and right-click on ACMPClientService.exe to open its properties.
2. Then, switch to the Digital Signatures tab.
3. Double-click on the certificate. If the certificate is valid, you'll see a message in the General section.

65_Use Case Zertifikat_gültiges Zertifikat_404.png

Checking the certificate status

If the certificate is displayed as invalid, this is often due to an invalid root certificate in the certification path. You should also check the status of the root certificate.
1. Follow steps 1-3 above.
2. In the Signature Information area, click View Certificate.

65_Use Case Zertifikat_Root Zertifikat.png

Display root certificate

3. In the new window, click on the Certification Path tab.
4. You can now see the whole certification path. This includes the origin of the root certificate and the status of the certificate.

65_Use Case Zertifikat_gültiges Root Zertifikat.png

Check the status of the root certificate

Also, the counter-signature must be valid.
1. Follow steps 1-3 from the previous section.
2. Double-click on the certificate under Counter-signatures.
3. In the Signature Information area, click on Show Certificate.
4. In the new window that opens, click on the Certification path tab.
5. You can now see the whole certification path of the counter-signature, including its origin and status.

65_Use Case Zertifikat_gültige Gegensignatur.png

Check the status of the counter signature

These certificate checks are related to ACMPClientService.exe. To perform a complete check, you must repeat the process for the following files, which are also located in the ACMP Client directory: "C:\Program Files (x86)\ACMP Client\".

File
Sectigo - Aagon.Core.AgentUninstall.dll
Entrust (2048) - Aagon.CustomImages.ClientModule.dll
GlobalSign Root CA - R6 - Aagon.Defender.Management.ClientModule.dll
Sectigo (AAA) - libcryptop-1_1.dll
Sectigo - libcryptop-1_1.dll

If all these certificates are valid, then the startup problem with the console or agent has other causes.
However, if these certificates are invalid, you have two options.

Solution 2: Check the registry key and change the group policy if necessary.

In this problem case, the following registry key is usually set:

Go to "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot" and change the setting for "DisableRootAutoUpdate" to "1."

Hinweis  Note:  

The value (1) means that automatic certificate updates are disabled. You can change the value from (1) to (0) here, but you must also change the group policy for the change to take effect. If the setting in the group policy is wrong, it will replace the new value in the registry key.

2. Navigate to the Group Policy Editor to Administrative Templates > System > Internet Communication Management > Internet Communication Settings.

GPO.PNG

Open the Group Policy Editor

3. Double-click to open the settings for the GPO Turn off Automatic Root Certificates Update.

4. Check the box Disabled. This setting enables automatic certificate updates.

6.5_Use Case Zertifikat_GPO aktiviert.png

Change the group policy setting to “Disabled”

5. You may need to restart the system for the ACMP Client service to start again.

Solution 3: Export and import valid certificates manually.

You can also try a manual fix. Export the valid certificates from one device and import them to the affected system.
1. To generate a SST from a WU, run the following command as an administrator: certutil.exe -generateSSTfromWU c:\temp\root.sst
2. Then, run the following command in an administrative PowerShell on the affected device: The path to the certificate is "Cert:\LocalMachine\Root" and the file path is "C:\temp\root.sst".
3. You may need to restart the system for the ACMP client service to start again.

© Aagon GmbH 2025
Besuchen Sie unsere neue Aagon-Community