When starting the VMware View Composer Service on a Windows Server 2012 or 2012R2 machine, you receive error 1920.
According to this KB article, it could be related to internet connectivity problems or missing Windows Updates.
Well, this is kind-of true. Apparently, When starting the service, an internet connection is necessary to check if the certificate used on the View Composer is still valid according to the Windows Certificate Store, which on it’s turn checks Windows Update for the latest certificate revocation list.
Unfortunately, Windows Server 2012 and up uses a different method in checking the certificate revocation list. Instead of using Windows Update, it directly connects towards the microsoft website to download a cab file:
If this URL isn’t reachable, the service will fail starting with the 1920 error message.
Imagine an environment where servers don’t have a direct internet connection due to security reasons. And Windows Updates are provided by a WSUS server that resides in the DMZ.
You have 2 options in solving this issue:
1) Disable automatic certificate updates. Actually, this isn’t a solution, but a workaround. Disabling the certificate updates imho is a security risk. But still, if this isn’t one to you, do this:
Set the “Turn off automatic root certificate update” policy to “Enabled” or set it via the registry by changing HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
2) Implement a server that downloads the Roots and Disallowed Certs ( the WSUS machine for instance) and publish them internally. This is a better solution.
For more information on how to this please have a look at the following URL:
- Commodity IT, the problem formerly known as Shadow IT - October 4, 2017
- VLOG 001: Video review of VMworld 2017 Las Vegas - August 31, 2017
- EUC Announcements at VMworld 2017 in Las Vegas - August 29, 2017