How to update your root certificate authorities for product installation or upgrade success

Technical Articles ID: KB91697
Last Modified: 2024-02-15 08:24:00 Etc/GMT

Environment

Multiple products

Summary

Recent updates to this article

Date	Update
February 14, 2024	Updated attachment file name to 2024_Certificates under "Solution" section.
February 7, 2024	Added DigiCert Trusted Root G4 root certificate.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

The product binaries listed below have been signed with updated certificates:

Affected Product	Version
Data Exchange Layer	5.0.2 and later
Data Loss Prevention Endpoint	11.3.2.82 and later
Database Security	4.6.6 Update 3 and later
Trellix Forensics	35.31.25.1
Endpoint Security (ENS) Adaptive Threat Protection	10.7.0 and later 10.6.1 October 2019 Update and later
ENS Firewall	10.7.0 and later 10.6.1 October 2019 Update and later
ENS Platform (Common)	10.7.0 and later 10.6.1 October 2019 Update and later
ENS Threat Prevention	10.7.0 and later 10.6.1 October 2019 Update and later
ENS Web Control	10.7.0 and later 10.6.1 October 2019 Update and later
Host Intrusion Prevention	8.0 Patch 14 and later
Active Response	2.4.1 and later
Agent	5.6.2 and later
Application and Change Control	8.2.1 Update 5 and later
Client Proxy	2.5.0 and later
MVISION Endpoint	1906 and later
VirusScan Enterprise (VSE)	8.8 Patch 14 and later

We plan to update the following product binaries with updated certificates in a future product release. We update this article when product binaries are updated.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Products Pending Update	Version
Endpoint Intelligence Agent	To be determined

The latest packages include binaries that have been signed with updated SHA-256 certificates. Up-to-date root certificates are needed to validate new digital signatures. Microsoft distributes these certificates.

IMPORTANT: Make sure that you update the root certificate store and replace the missing certificates. Otherwise, you can't successfully install or upgrade any of the products in this article because the operating system can't successfully validate the new certificate binaries.

In some environments, the root certificates might be missing. The reasons for the missing root certificates include, but aren't limited to the following:

An administrator removes the certificate from the system.
The system doesn't have internet connectivity, which is needed to perform a Root AutoUpdate (automatic root update).
The group policy in effect prevents the root certificate update:
- The registry value HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is set to 1.
- The registry key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots exists.

Solution

Import the certificates needed to validate the digital signatures before you install or upgrade the products:

Install the missing root certificates in the physical Third-Party Trusted Root Certification Authorities store. Specifically, add the certificates listed below:
- AAA Certificate Services (2028)
- AddTrust External CA Root (2020)
- DigiCert Assured ID Root CA (2031)
- DigiCert Trusted Root G4 (2038)
- GlobalSign (2029)
- GlobalSign Code Signing Root R45 (2045)
- GlobalSign Root CA (2028)
- Microsoft Code Verification Root (2025)
- Microsoft Identity Verification Root Certificate Authority 2020 (‎2045)
- USERTrust RSA Certification Authority (2038)
- UTN-USERFirst-Object (2019)
- Verisign Universal Root Certification Authority (2037)
- Verisign Class 3 Public Primary Certification Authority - G5 (2036)
Install the missing Intermediate Certification Authorities certificates in the physical Intermediate Certification Authorities store. Specifically, add the certificates listed below:
- AddTrust External CA Root (2023)
- COMODO RSA Code Signing CA (2028)
- DigiCert SHA2 Assured ID Timestamping CA (2031)
- GlobalSign (2028)
- GlobalSign Code Signing Root R45 (2029)
- GlobalSign CodeSigning CA - G3 (2024)
- GlobalSign CodeSigning CA - SHA256 - G3 (2024)
- GlobalSign GCC R45 CodeSigning CA 2020 (2030)
- GlobalSign Root CA (2021)
- McAfee Code Signing CA 2 (2024)
- McAfee OV SSL CA 2 (2024)
- USERTrust RSA Certification Authority (2028)
- Verisign Class 3 Code Signing 2010 CA (2020)

Certificate installation options:

Option 1 - Install the certificates using the Active Directory (AD) group policy:
We recommend that you install the certificates using the AD group policy for wide deployment.

Deploy the registry change for the Computer policy, and not the User policy. For example instructions on adding a certificate using group policy, see KB92948 - How to determine if a system has an updated root certificate.

Option 2 - Install the certificates directly on the system:
If you have a single system or only a few systems, you can use the following files to install the certificates directly on the system. You can also remotely install them using any appropriate administrative deployment method.

To install the certificates, perform one of the following:

Download the file 2024_Certificates.bat.txt in the "Attachment" section of this article. Rename the file to 2024_Certificates.bat and run it.
OR
Download the file 2024_Certificates.reg.txt in the "Attachment" section of this article. Rename the file to 2024_Certificates.reg and import it.

List of certificates and SHA-1 details for the attached files

Certificate	SHA-1 Details
AAA Certificate Services (2028)	D1EB23A46D17D68FD92564C2F1F1601764D8E349
AddTrust External CA Root (2020)	02FAF3E291435468607857694DF5E45B68851868
AddTrust External CA Root (2023)	A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
COMODO RSA Code Signing CA (2028)	B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
DigiCert Assured ID Root CA (2031)	0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
DigiCert SHA2 Assured ID Timestamping CA (2031)	3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
DigiCert Trusted Root G4 (2038)	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
GlobalSign (2029)	D69B561148F01C77C54578C10926DF5B856976AD
GlobalSign (2028)	0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71
GlobalSign Code Signing Root R45 (2029)	4C5D80D2CD06B1A493C49B2E9BED4A57C2F873E5
GlobalSign Code Signing Root R45 (2045)	4EFC31460C619ECAE59C1BCE2C008036D94C84B8
GlobalSign CodeSigning CA - SHA256 - G3 (2024)	090D03435EB2A8364F79B78CB173D35E8EB63558
GlobalSign CodeSigning CA - G3 (2024)	F1E7B6C0C10DA9436ECC04FF5FC3B6916B46CF4C
GlobalSign GCC R45 CodeSigning CA 2020 (2030)	7A2146EDB29E2EAD64AFBE7CEAD0B6085D437A32
GlobalSign Root CA (2021)	CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32
GlobalSign Root CA (2028)	B1BC968BD4F49D622AA89A81F2150152A41D829C
McAfee Code Signing CA 2 (2024)	17661DFBA03E6AAA09142E012D216864F01D1F5E
McAfee OV SSL CA 2 (2024)	9151B539751B891401C745A9DE301CBDBADF3FB6
Microsoft Code Verification Root (2025)	8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Microsoft Identity Verification Root Certificate Authority 2020 (2045)	F40042E2E5F7E8EF8189FED15519AECE42C3BFA2
USERTrust RSA Certification Authority (2020)	EAB040689A0D805B5D6FD654FC168CFF00B78BE3
USERTrust RSA Certification Authority (2028)	D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
USERTrust RSA Certification Authority (2038)	2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
UTN-USERFirst-Object (2019)	E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Verisign Class 3 Code Signing 2010 CA (2020)	495847A93187CFB8C71F840CB7B41497AD95C64F
Verisign Class 3 Public Primary Certification Authority - G5 (2036)	4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Verisign Universal Root Certification Authority (2037)	3679CA35668772304D30A5FB873B0FA77BB70D54

NOTE: Some root certificates listed above have expired. These root certificates are needed for backward compatibility. Expired certificates that aren't revoked can still be used to validate anything signed before their expiration. For more details, see this Microsoft article.

Option 3 - Install the certificates using ePolicy Orchestrator (ePO):
Use the ePO Endpoint Deployment Kit package CERTEEDK1000.zip in the "Attachment" section of this article.

Related Information

Also see KB87096 - Product install or upgrade issues due to missing root certificates.

NOTE: The Microsoft Code Verification Root (2025) certificate might be auto-removed by a certificate update on later versions of the Windows operating system.
To confirm if this action occurs, filter the Windows application event log for event 4108 and check for an event as below.
Source = CAPI2 : "Successful auto delete of third-party root certificate:: Subject: <CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, S=Washington, C=US> Sha1 thumbprint: <8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3"

This removal doesn't affect functionality on later versions of the Windows operating system.

Attachment 1

2024_Certificates.bat.txt
90K • < 1 minute @ broadband

Attachment 2

2024_Certificates.reg.txt
139K • < 1 minute @ broadband

Attachment 3

CERTEEDK1000.zip
36K • < 1 minute @ broadband

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

How to update your root certificate authorities for product installation or upgrade success

Environment

Summary

Solution

Related Information

Attachment 1

Attachment 2

Attachment 3

Affected Products

Languages:

Title

Title

Knowledge Center

How to update your root certificate authorities for product installation or upgrade success

Environment

Summary

Solution

Related Information

Attachment 1

Attachment 2

Attachment 3

Affected Products

Languages:

Choose your region

Title

Title