Symptom

The Configuration Checker returns a failure on the check 'A WSUS Signing Certificate is in place and can be accessed by the user' with a detail of 'Error accessing the WSUS signing certificate. The certificate does not exist or your account does not have permission to access it.

Furthermore the Lenovo Patch.log file shows the following entries.

Cause

• The Configuration Manager console is not being run using the 'Run As Administrator' function.
• The WSUS Signing Certificate is not in the WSUS Certificate Store on the WSUS Server.
• The user account accessing Configuration Manager is not a member of the 'Full Administrator' role, '3rd Party Patch Administrator' role, or '3rd Party Patch Read Only User' role through either direct membership or Active Directory group membership.
• The user account accessing Configuration Manger is not a member of the 'WSUS Administrators' group on the WSUS Server through either direct membership or Active Directory group membership.
• 'WSUS Administrators' group on the WSUS Server does not have permissions to Launch, Activate, or Access the WSusCertServer Component Service.

Resolution

Verify the customer is running the Configuration Manager console using the 'Run As Administrator' function referenced in the "Always use 'Run As Administrator' when Launching the Console" Knowledge Base Article.

Verify the WSUS Signing Certificate is present in the WSUS Certificates store on the WSUS Server.

1. On the WSUS Server, right click 'Start' and select 'Run'.
2. In the Open prompt, enter certlm.msc.
3. In the list of Certificate Stores, navigate to WSUS > Certificates.
   
4. Verify appropriate Code Signing Certificate is present. To identify this certificate, review the Intended Purposes column for one listing Code Signing.

Ensure the user account accessing Configuration Manager membership to either the '3rd Party Patch Administrator' role, or '3rd Party Patch Read Only User' role, or the 'Full Administrator' role through either direct membership or Active Directory group membership.  Changing a Configuration Manager Security Role for a User or Group

Ensure the user account accessing Configuration Manger through direct membership or Active Directory group membership has been granted the Security Scope of 'All instances of the objects that are related to the assigned security roles.'  Changing the Configuration Manager Security Scope for a User or Group

Grant the user account accessing Configuration Manager membership to the 'WSUS Administrators' group on the WSUS Server through direct membership or Active Directory group membership.  Verifying the User is in the WSUS Administrators Group

Grant the 'WSUS Administrators' group on the WSUS Server the 'Allow' permission for 'Local Launch', 'Remote Launch', 'Local Activation', 'Remote Activation', 'Local Access', and 'Remote Access'.

1. On the WSUS Server, right click 'Start' and select 'Run'.
2. In the Open prompt, enter dcomcnfg
3. Press 'Shift' + 'Ctrl' + 'Enter' to elevate the command when executed.
4. If prompted by a UAC prompt, click 'Yes'.
5. In the 'Component Services' window, expand 'Component Services' > 'Computers' > 'My Computer' and click on 'DCOM Config'
   
6. In the center pane, scroll down to fine 'WSusCertServer' and right click on the icon.
7. In the context menu, select 'Properties'.
8. In the 'WSusCertServer Properties' window, click on the 'Security' tab.
   
9. In the 'Launch and Activation Permissions' section, select the 'Customize' option and click on the 'Edit' button.
10. From the list of groups or user names, choose 'WSUS Administrators'.
    
11. Set the 'Local Launch', 'Remote Launch', 'Local Activation', and 'Remote Activation' items to 'Allow'.
12. In the 'Access Permissions' section, select the 'Customize' option and click on the 'Edit' button.
13. From the list of groups or user names, choose 'WSUS Administrators'.
    
14. Set the 'Local Access' and 'Remote Access' items to 'Allow'.