Yeah, but I can't log in as it due to the fingerprint solution we have in place. It doesn't allow logins to the local machine, only the domain. So I guess I could boot into safe mode to try. Or, I can use the main MAIN domain admin since it's the same non-standard name as the initial local admin we use to set up the machine.
But I'd rather us use our "admin" accounts which are special IT staff accounts that are also domain admins rather than the generic main domain admin account. As it is, I have a workaround, kinda, but I'd rather find out what the issue is. If it's our domain causing a problem, that should be fixed!
It's nothing with the firewall. Stuff not on the domain on the inside network can update just fine. So it's definitely related to the domain and I guess the GPO. But why just .NET 4 updates? And only some of 'em? I started trolling through the event viewer and got a bunch of pain.
Found this in Event Viewer > Windows Logs: Application
2 identical entries that correspond to an update attempt.
EventID 513
EventSourceName Microsoft-Windows-CAPI2 aka CAPI2
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details: TraverseDir : Unable to FindFirstFile. System Error: Access is denied.
And nothing new here, this is Event Viewer > Windows Logs: System
EventID 20
EventSourceName WindowsUpdateClient
errorCode 0x80070643
updateTitle Security Update for Microsoft .NET Framework 4 on XP, Server 2003, Vista, Windows 7, Server 2008, Server 2008 R2 for x64 (KB2656368)
I don't get any of these events when trying the standalone patch installer.
I saw this random event in security but am unsure if it's related:
SceCli
EventID 1202
[ Qualifiers] 32768
0x4b8 : An extended error has occurred. Advanced help for this problem is available on
http://support.microsoft.com. Query for "troubleshooting 1202 events".
It took a little while, but finally got events showing up in Event Viewer > Applications and Services Logs > Microsoft > Windows > CAPI2: Operational
The meat of it is I found this:
- [CertRejectedRevocationInfo]
[SubjectCertificate fileRef="8849D1C0F147A3C8327B4038783AEC3E06C76F5B.cer" subjectName="Microsoft Corporation" /]
[IssuerCertificate fileRef="FDD1314ED3268A95E198603BA8316FA63CBCD82D.cer" subjectName="Microsoft Code Signing PCA" /]
[CertificateRevocationList location="UrlCache" url="http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl" fileRef="F047D9EE59F574A90B91448C69A337CCFEB517DC.crl" issuerName="Microsoft Code Signing PCA" /]
- [Action name="IsCrlSignatureValid"]
[Error value="80090006"]Invalid Signature.[/Error]
[/Action]
So... why is the sig invalid on the domain but these install just fine not on the domain? I'm pretty sure I didn't set a GPO for "TotallyJack.NET4Certs" but a coworker might have...