In Windows Server 2003, there may be valid Microsoft files that have to be manually whitelisted even though it may have a valid publisher. If any publisher trust issues are encountered, follow the below steps to resolve them:

  1. Right-click on the untrusted executable or the library and click Properties

  2. Navigate to the tab Digital Signatures

  3. Select the signature displayed in the list. Click Details. It may take a few minutes for the pop-up window to be displayed. The error information is displayed on the pop-up window

  4. Scenario 1:

    1. Error Message: The integrity of the certificate that signed this file cannot be guaranteed


    2. Possible Cause: The host is missing the Knowledge Patch that adds SHA2 support

    3. Recommended Action: This file must be allowlisted on CMS manually. Alternatively, the Knowledge Base Patch can be installed. Follow the steps in Section SHA2 Certificates

  5. Scenario 2:

    1. Error Message: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust publisher


    2. Possible Cause: We need to add the root certificate of this executable

    3. Recommended Action: Follow the steps in Section Root Certificate Addition

  6. Scenario 3:

    1. Error Message: This digital signature is OK (But, the publisher is not listed in VSP)

    2. Possible Cause: The root certificate is installed in the wrong store

    3. Recommended Action: Follow the steps in Section Certificate Installed in Wrong Store

  7. Scenario 4:

    1. Error Message: The certificate may be corrupted or may have been altered

    2. Possible Cause: Windows Server 2003 does not natively support SHA2 certificates. Microsoft has deprecated the signing of SHA1 Root certificates a few years ago. So, for newer executables that are signed with SHA2, Windows Server 2003 cannot authenticate unless there is a Knowledge Base patch installed on the Server.

    3. Recommended Action: Follow the steps in Section SHA2 Certificates