This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Troubleshooting Azure Code Signing

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Troubleshooting Azure Code Signing

clairehar557ris
L0 Member

‎01-06-2026 10:10 PM

Hello,

 

With recent Cortex XDR updates, Microsoft KB5022661 is now a prerequisite for many legacy Windows systems. If your endpoints are missing this, upgrades will fail.

0 Likes Likes
1 REPLY 1

susekar
L3 Networker

‎01-22-2026 08:16 AM

Hello @clairehar557ris ,

 

Thank you for the response.

 

Since March 2023, Microsoft has required security vendors to sign binaries using Microsoft Trusted Signing (formerly known as Azure Code Signing or ACS). Consequently, all Cortex XDR agent versions released after this date require endpoints to have specific Microsoft Windows patches to validate these signatures.

 

Prerequisite Details

Required Patch:
Microsoft KB5022661 or any newer cumulative update that includes its contents.

Affected Systems:
This primarily impacts legacy systems including:

  • Windows 10 (older versions)

  • Windows 7 SP1 (requires an extended support license to install the patch)

  • Windows Server 2008 R2 SP1, 2012, 2012 R2, 2016, and 2019

Note:
Windows 11 machines have this support pre-installed and are generally unaffected.

Symptoms of Missing Prerequisite

If the required patch or cumulative update is missing, Cortex XDR agent installations or upgrades will fail with the following indicators:

  • Error Message:
    “Cortex XDR requires Azure Code Signing support. See Microsoft KB5022661 for details”

  • Console Error:
    The upgrade status may show as Failed with an Installer timed out error

  • MSI Error:
    Log files typically record MSI error code 1603

Resolution and Workarounds:

Apply Cumulative Updates:
Ensure the endpoint is updated with the latest Microsoft security quality updates. If KB5022661 is not found individually in the Microsoft Update Catalog, it has been superseded by more recent cumulative updates.

Verify Installation:
You can verify whether the patch is present by running the following command in an elevated command prompt:

wmic qfe get hotfixid | find "KB5022661"

Bypass Flag (Critical Environment Agents Only):
For environments where patching is not possible, Critical Environment (CE) agent versions (specifically 7.9.103-CE and 8.3-CE) allow a bypass.

Perform a fresh installation using the following MSI flag:

msiexec /i <installer.msi> NO_ACS_SUPPORT=1

Limitation:
This flag cannot be used for upgrades; a clean reinstallation is required. Standard agent versions (for example, version 8.7) ignore this flag and will still fail if the required patch is missing.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Happy New year!!

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 101 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks