https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/troubleshooting-azure-code-signing/m-p/1246287#M9032 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/989505425">@clairehar557ris</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for the response.</P> <P>&nbsp;</P> <P>Since March 2023, Microsoft has required security vendors to sign binaries using Microsoft Trusted Signing (formerly known as Azure Code Signing or ACS). Consequently, all Cortex XDR agent versions released after this date require endpoints to have specific Microsoft Windows patches to validate these signatures.</P> <P>&nbsp;</P> <H4>Prerequisite Details</H4> <P><STRONG>Required Patch:</STRONG><BR />Microsoft KB5022661 or any newer cumulative update that includes its contents.</P> <P><STRONG>Affected Systems:</STRONG><BR />This primarily impacts legacy systems including:</P> <UL> <LI> <P>Windows 10 (older versions)</P> </LI> <LI> <P>Windows 7 SP1 (requires an extended support license to install the patch)</P> </LI> <LI> <P>Windows Server 2008 R2 SP1, 2012, 2012 R2, 2016, and 2019</P> </LI> </UL> <P><STRONG>Note:</STRONG><BR />Windows 11 machines have this support pre-installed and are generally unaffected.</P> <H4>Symptoms of Missing Prerequisite</H4> <P>If the required patch or cumulative update is missing, Cortex XDR agent installations or upgrades will fail with the following indicators:</P> <UL> <LI> <P><STRONG>Error Message:</STRONG><BR />“Cortex XDR requires Azure Code Signing support. See Microsoft KB5022661 for details”</P> </LI> <LI> <P><STRONG>Console Error:</STRONG><BR />The upgrade status may show as <STRONG>Failed</STRONG> with an <STRONG>Installer timed out</STRONG> error</P> </LI> <LI> <P><STRONG>MSI Error:</STRONG><BR />Log files typically record MSI error code <STRONG>1603</STRONG></P> </LI> </UL> <H4>Resolution and Workarounds:</H4> <P><STRONG>Apply Cumulative Updates:</STRONG><BR />Ensure the endpoint is updated with the latest Microsoft security quality updates. If KB5022661 is not found individually in the Microsoft Update Catalog, it has been superseded by more recent cumulative updates.</P> <P><STRONG>Verify Installation:</STRONG><BR />You can verify whether the patch is present by running the following command in an elevated command prompt:</P> <PRE><CODE>wmic qfe get hotfixid | find "KB5022661" </CODE></PRE> <P><STRONG>Bypass Flag (Critical Environment Agents Only):</STRONG><BR />For environments where patching is not possible, Critical Environment (CE) agent versions (specifically 7.9.103-CE and 8.3-CE) allow a bypass.</P> <P>Perform a fresh installation using the following MSI flag:</P> <PRE><CODE>msiexec /i &lt;installer.msi&gt; NO_ACS_SUPPORT=1 </CODE></PRE> <P><STRONG>Limitation:</STRONG><BR />This flag cannot be used for upgrades; a clean reinstallation is required. Standard agent versions (for example, version 8.7) ignore this flag and will still fail if the required patch is missing.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Happy New year!!</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Thu, 22 Jan 2026 16:16:33 GMT susekar 2026-01-22T16:16:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/troubleshooting-azure-code-signing/m-p/1245029#M9027 <P>Hello,</P> <P>&nbsp;</P> <P>With recent Cortex XDR updates, Microsoft KB5022661 is now a prerequisite for many legacy Windows systems. If your endpoints are missing this, upgrades will fail.</P> Wed, 07 Jan 2026 06:10:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/troubleshooting-azure-code-signing/m-p/1245029#M9027 clairehar557ris 2026-01-07T06:10:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/troubleshooting-azure-code-signing/m-p/1246287#M9032 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/989505425">@clairehar557ris</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for the response.</P> <P>&nbsp;</P> <P>Since March 2023, Microsoft has required security vendors to sign binaries using Microsoft Trusted Signing (formerly known as Azure Code Signing or ACS). Consequently, all Cortex XDR agent versions released after this date require endpoints to have specific Microsoft Windows patches to validate these signatures.</P> <P>&nbsp;</P> <H4>Prerequisite Details</H4> <P><STRONG>Required Patch:</STRONG><BR />Microsoft KB5022661 or any newer cumulative update that includes its contents.</P> <P><STRONG>Affected Systems:</STRONG><BR />This primarily impacts legacy systems including:</P> <UL> <LI> <P>Windows 10 (older versions)</P> </LI> <LI> <P>Windows 7 SP1 (requires an extended support license to install the patch)</P> </LI> <LI> <P>Windows Server 2008 R2 SP1, 2012, 2012 R2, 2016, and 2019</P> </LI> </UL> <P><STRONG>Note:</STRONG><BR />Windows 11 machines have this support pre-installed and are generally unaffected.</P> <H4>Symptoms of Missing Prerequisite</H4> <P>If the required patch or cumulative update is missing, Cortex XDR agent installations or upgrades will fail with the following indicators:</P> <UL> <LI> <P><STRONG>Error Message:</STRONG><BR />“Cortex XDR requires Azure Code Signing support. See Microsoft KB5022661 for details”</P> </LI> <LI> <P><STRONG>Console Error:</STRONG><BR />The upgrade status may show as <STRONG>Failed</STRONG> with an <STRONG>Installer timed out</STRONG> error</P> </LI> <LI> <P><STRONG>MSI Error:</STRONG><BR />Log files typically record MSI error code <STRONG>1603</STRONG></P> </LI> </UL> <H4>Resolution and Workarounds:</H4> <P><STRONG>Apply Cumulative Updates:</STRONG><BR />Ensure the endpoint is updated with the latest Microsoft security quality updates. If KB5022661 is not found individually in the Microsoft Update Catalog, it has been superseded by more recent cumulative updates.</P> <P><STRONG>Verify Installation:</STRONG><BR />You can verify whether the patch is present by running the following command in an elevated command prompt:</P> <PRE><CODE>wmic qfe get hotfixid | find "KB5022661" </CODE></PRE> <P><STRONG>Bypass Flag (Critical Environment Agents Only):</STRONG><BR />For environments where patching is not possible, Critical Environment (CE) agent versions (specifically 7.9.103-CE and 8.3-CE) allow a bypass.</P> <P>Perform a fresh installation using the following MSI flag:</P> <PRE><CODE>msiexec /i &lt;installer.msi&gt; NO_ACS_SUPPORT=1 </CODE></PRE> <P><STRONG>Limitation:</STRONG><BR />This flag cannot be used for upgrades; a clean reinstallation is required. Standard agent versions (for example, version 8.7) ignore this flag and will still fail if the required patch is missing.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Happy New year!!</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Thu, 22 Jan 2026 16:16:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/troubleshooting-azure-code-signing/m-p/1246287#M9032 susekar 2026-01-22T16:16:33Z