Software Vulnerability Manager’s automatic package publishing requires the Flexera Software Vulnerability Manager Patch Daemon service installed on your WSUS server. This service periodically checks your SVM server or SVM Cloud for subscribed packages and checks if any are available to publish.

TIP: You can set the frequency of these checks in Patch Publisher by following the steps in Connect SVM in the SVM Patch Publisher. 

The Patch Daemon requires the user to be a member of the local administrators and WSUS administrators groups on the WSUS server. If the user account running the path daemon service is not a member of these groups, errors occur like the following:

[10/03/2021 14:27:20|V] --- Stack Trace Begins (0) ---
InvalidOperationException: Failed to sign package; error was: 2147942405
at Microsoft.UpdateServices.Internal.BaseApi.Publisher.SignPackageCab(Boolean dualSign, String httpTimeStamp)
at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String additionalSourcePath, String packageDirectoryName, Boolean dualSign, String httpTimeStamp)
at Microsoft.UpdateServices.Internal.BaseApi.Publisher.PublishPackage(String sourcePath, String packageDirectoryName)
at System.Threading.Tasks.Task.Execute()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Flexera.SVM.Patch.Daemon.WsusApi.PublishPackageAsync()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Flexera.SVM.Patch.Daemon.PublishPackageWorkItem.PublishPackageAsync()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Flexera.SVM.Patch.Daemon.DaemonWorkItem.ExecuteTasks()
--- Stack Trace Ends ---

Solution

To resolve this issue, add your Flexera Software Vulnerability Manager Patch Daemon service account user to local administrators and WSUS administrators groups on your WSUS server. 

Workaround if unable to add users to local administrators

Some security policies may only allow you to add users to the WSUS administrators but not the local administrator's group. In this situation, administrators can give service user accounts full control over certain items to allow for package publishing. To do this, follow the steps below.

• Registry

1. Open Windows Registry Editor on the WSUS machine.
2. Navigate to each HKEY below:

HKEY_LOCAL_MACHINE\Software\Flexera
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
HKLM\Software\Microsoft\SystemCertificates\Disallowed
HKLM\Software\Microsoft\Update Services\Server\Setup
HKLM\SOFTWARE\Classes\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B}

The next steps must be done on each HKEY individually.

1. Right-click on the HKEY and select Permissions.
2. Select Add… then add a service account user.
3. Select Allow next to Full Control. Then, select Apply.

• Windows Explorer

1. Open Windows Explorer.
2. Go to the following locations:

C:\ProgramData\Microsoft\Crypto
C:\ProgramData\Flexera Software\SVM Patch

The next steps must be done on each location individually.

1. Right-click on Properties, then select Security.
2. Select the service user account you want to allow package publishing for.
3. Select Allow next to Full Control. Then, select Apply.

• Shares and groups

1. Open Local Users and Groups.
2. Add the service user account to WSUS administrators. WSUS administrators need full access to the WSUS content location, including Share and NTFS.

• DCOM (Distributed Component Object Model)

1. Open DCOMCNFG and go to Component Services > Computers > My Computer > DCOM Config.
2. Modify the WSUSCertServer security settings:
   1. Launch and Activation permissions: Give Local Launch and Local Activation rights to WSUS administrators group/your service user.
   2. Access permissions: Give Local Access rights to WSUS administrators group/your service user.
3. Reboot the device.