Loading...
Loading...
Microsoft Windows Smart Components are unable to be installed when Device Guard control policies are configured and enabled.During execution of a Microsoft Windows Smart Component, a temp folder is created to extract the contents and the installer is run from there. If the files have an invalid digital signature or are not digitally signed, the CI policy can block these modules from loading, causing firmware/driver/software update failures if these are not permitted under the current security policies. As a result, the Smart Component installation fails, and the device remains not updated.This issue occurs due to invalid certificates; the signer for the installer is not on the CI policy signer list or there are unsigned binaries/payload inside the installer package.When using msiexec for a Microsoft Standard Installer (MSI) to install or uninstall, the MSI file is modified, which invalidates and removes the original digital signature. This is an expected condition. On Windows Defender Application Control (WDAC) enforced systems, those unsigned extracted files will be blocked unless the files are re-signed or the policy is adjusted. Thus the Operating System modifies the Microsoft Standard Installer (MSI) signature as invalid.For unsigned binaries, the component files were never signed; therefore, Microsoft Windows cannot verify the publisher identity or integrity.Example of the error status code 0xc0e90002 for signature verification failure.Example of installation failure for invalid digital signature files in the component.
Any HPE platform running Microsoft Windows Server with Device Guard control policies configured and enabled.Note:This is applicable to all Microsoft Windows Server firmware/driver/software components.
To resolve this issue, perform either of the following procedures:Procedure 1Extract the cpxxxxx.exe into a destination folder and scan the destination folder to create supplemental policy and merge to base policy to ensure that all signers are included in the active CI policy. As there are some unsigned binaries or invalid installer packages (ex. MSI package) cannot be trusted by CI policy, this needs to be allowed by hash in the policy.For additional information, refer to the following Microsoft article:Microsoft Policy XML lifecycle managementORProcedure 2Temporarily Disable the Device Guard/Credential Guard through the Group Policy.Reboot the server.Execute the required Smart Components.Re-enable the Device Guard/Credential Guard after the updates are completedDisclaimer:One or more of the links above will take you outside the HPE website. HPE is not responsible for content outside of its domain.
Operating Systems Affected:Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022, Microsoft Windows Server 2025, Microsoft Windows Storage Server 2016
Click on a version to see all relevant bugs
Hewlett Packard Enterprise Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.