.. Reminder for header structure:
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. meta::
  :description: Frequent problems and questions
  :keywords: lost password, lost private key, stolen private key, BIOS bug, waptdeploy, WAPT, documentation, the WAPT Deployment utility

.. _wapt_faq_console:

####################
FAQ - Console Issues
####################

****************************************
My certificate don't work on the machine
****************************************

You are trying to update, send a message, or add a package, but you encounter the following error: 

Error on client: **EWaptCertificateUntrustedIssuer('Issuer CA certificate CN=XXXX,C=FR can not be found in supplied bundle')**

Or this picture :

.. figure:: wapt-resources/EWaptCertificateUntrustedIssuer.png
  :align: center
  :scale: 85%
  :alt: EWaptCertificateUntrustedIssuer

**How to Troubleshoot:**

1. Check the Certificate:

Ensure the certificate used by your console is valid and recognized by the target machine.

Go to Tools > Preferences and verify the "Path to personal certificate".

2. Verify Machine's Trusted Certificates:

On the target machine, open the "Certificates" tab.

Confirm that your certificate (or its signing authority) is listed as trusted.

3. Resolve Certificate Issues:

If your certificate is not trusted, have it signed by a certificate authority (CA) already approved by the machine.

You need to create a certificate package and sign it with a certificate already approved by the machine.

Follow the signing procedure as described in the video guide: https://www.youtube.com/watch?v=mdUcQSdPqQ4.

4. Retry the Operation:

After ensuring the certificate is trusted, attempt the update, message, or package addition again.

.. _msg_error_package:

***********************************************
Error message about package on the WAPT Console
***********************************************

Error "File setup.py is not allowed in manifest of xxx"
=======================================================

This error means that the certificate currently in use does not have the authority to sign packages.

The only two options available are:

1- Use a different certificate with code-signing rights.

2- Regenerate a certificate by selecting the option :guilabel:`code signing` (information for build certificate :ref:`here <building_certificate>`).

.. figure:: wapt-resources/wapt_code_signing_for_certificate.png
  :align: center
  :scale: 65%
  :alt: Code signing for certificate

  Code signing for certificate

Error when uploading package
============================

.. figure:: wapt-resources/wapt_error_trusted_signer_certificate.png
  :align: center
  :scale: 75%
  :alt: Window showing that the uploaded package has signer certificate issue

  Window showing that the uploaded package has signer certificate issue

The WAPT Console shows this error : :code:`Error when uploading package : EWaptForbidden('Host matching package UUID_HOST does not trusted signer certificate)`.

You have this error when you try to upload a WAPT package but the used certificate which signed package is not present in your computer's ssl WAPT install location folder.
Be reminded, if you have a WAPT Server running on Windows to **not lauch the WAPT Console on the server**.
Add the WAPT certificate which signed the package in your computer's ssl WAPT install location folder then retry.

Error locale
============

.. figure:: wapt-resources/wapt_console_local-error-dialog-box.png
  :align: center
  :alt: Window showing that the WAPT Console does not find a package

  Window showing that the WAPT Console does not find a package

The WAPT Console shows this error in two situations.

Package does not exist in the repository anymore, yet a host needs it
---------------------------------------------------------------------

There are two possible solutions:

* Try to get package anew from Tranquil IT's store.

* Delete the package from the host dependencies.

When you try to install a package with a locale that is unknown to the host
---------------------------------------------------------------------------

There are two possible solutions:

* Download the WAPT package having the matching locale from Tranquil IT's store.

* Edit your WAPT package and set in the :file:`control` file the option :code:`locale` with the correct locale (:code:`locale=en,fr`).

.. _msg_error_open:

*******************************************
Error message when opening the WAPT Console
*******************************************

Version check
=============

.. image:: wapt-resources/wapt_console_version-error_dialog-box.png
  :align: center
  :scale: 75%
  :alt: Window showing that the WAPT Console version is out of date

The WAPT Console version is not the same as the version of the WAPT Server.
Upgrading the WAPT Console to the same version of the WAPT Server is the recommanded course of action.

Connection refused
==================

The WAPT Console can not contact the WAPT Server on port 443:

* Check whether the :program:`Nginx` web service is running on the WAPT Server.

.. code-block:: bash

  systemctl status nginx

* If :program:`Nginx` is not running, restart the :program:`Nginx` service.

.. code-block:: bash

  systemctl restart nginx

* If :program:`Nginx` still does not start, you will need to analyze the journal logs in:

  * :file:`/var/log/nginx/` on Linux;

  * :file:`C:\\Program Files (x86)\\wapt\\waptserver\\nginx\\logs` on Windows.

Service unavailable
===================

It is possible that the WAPT Server service is stopped:

* Check whether :program:`waptserver` is running.

.. code-block:: bash

  systemctl status waptserver

* If the command returns an error, then start the :program:`waptserver`.

.. code-block:: bash

  systemctl start waptserver

Error connecting with SSL ... verify failed
===========================================

The WAPT Console seems not to be able to verify the WAPT Server's HTTPS certificate.

.. attention::

  Before doing anything, be sure that your are not facing a :abbr:`MITM (Man in the Middle)` attack!

.. note::

  If you have just rebuilt your WAPT Server and that you use a self-signed certificate, you can recover the old keys of your old WAPT Server in :file:`/opt/wapt/waptserver/apache/ssl`.

* Close your WAPT Console.

* Delete the folder :file:`%appdata%\\..\\Local\\waptconsole`.

* Launch the command :code:`wapt-get enable-check-certificate`.

* Be sure that the previous command has gone well.

* Restart the WAPT service with :code:`net stop waptservice && net start waptservice`.

* Restart the WAPT Console.

In case you do not use the certificate pinning method, this tells you that the certificate sent by the WAPT Server can not be verified with the python :program:`certifi` bundle of certificates.
Be sure to have the full chain of certificates on the WAPT Server.

I can't do anything in the WAPT Console, everything is greyed
=============================================================

The WAPT Console seems locked, you can not execute any action, everything is greyed.

If you are connected with another user than the *Superadmin*, the ACL rules applied to your profile may not be set properly.

To fix this, close the WAPT Console and open it with the *Superadmin* account.
Then, go to :menuselection:`Tools --> Manage Wapt users and rights`.
Here, you will see the user in the list, give the user the appropriate permissions, then save and close the WAPT Console.
Re-open the WAPT Console using your login.


******************************************************************************
Managing the location of machines in WAPT: Updating the Organisation Unit (OU)
******************************************************************************


The WAPT server does not automatically determine the **location of a newly deployed machine**. This information is **transmitted by the WAPT agent** (installed on the machine) **to the server**, based on the data available at the time of communication.

The key on the machine is here : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Distinguished-Name

**Case of a machine moved to a new OU**

If the machine has not yet received the information indicating that it belongs to a new OU, it transmits to the WAPT server the location that it knows at that time (generally the old OU).

To check the location known by the machine :

- In the WAPT console, identify the machine concerned.

- Go to the :guilabel:`Hardware Inventory` tab.

- Look for the key :guilabel:`computer_ad_dn` its value corresponds to the location (OU) that the machine has communicated to the server.

**How to correct the location of the machine**

If the value of :guilabel:`computer_ad_dn` corresponds to the old OU, there are two solutions for forcing the update:

  **Via the command prompt:**

  Run the following command on the machine:

  .. code::
    
    gpupdate /force


  **Via the WAPT console:**

  - Select the workstation concerned.

  - Right-click > :guilabel:`Windows Computer Management`.

  - Choose :guilabel:`Update AD Group Policies on hosts`.

Once the update has been performed, the machine should appear in the new OU in the WAPT inventory.

********************************************************
Duplicate or Legacy Windows Update KBs Displayed in WAPT
********************************************************

.. image:: wapt-resources/wapt-duplicate_KBS.png
  :align: center
  :scale: 75%
  :alt: Duplicate KBs diplayed in WAPT

Then, choose the certificate to associate to the user.

You may notice that a Windows 11 device running version 25H2 displays cumulative updates intended for earlier releases such as 22H2, 23H2, or 24H2 in the Windows Updates tab of the WAPT Console.
At first glance, this may suggest that updates for older Windows versions are being installed on the device. Fortunately, this is not the case.

Microsoft is aware of this behavior and has acknowledged it in their support forums, although the issue has not yet been resolved:

Microsoft discussion: https://learn.microsoft.com/en-us/answers/questions/2157261/duplicate-cumulative-kb-windows-11-update-returns

The information displayed in the Windows Updates tab comes directly from the native Windows Update Agent and is not modified by WAPT. WAPT intentionally preserves the original data returned by Windows Update so that administrators can work with the information exactly as provided by Microsoft.

While the presence of duplicate or legacy-version KBs can make the update list more difficult to read, this is purely a display issue. It does not affect the update installation process.
Windows Update will only install the cumulative update that matches the operating system version running on the device. For example, on a Windows 11 25H2 system, only the KB package intended for 25H2 will be installed, even if updates targeting 22H2, 23H2, or 24H2 are also listed in the console.

To verify which updates are actually installed on a device, you can use the following PowerShell command:

.. code-block::

  Get-Hotfix

