Product install or upgrade issues due to missing root certificates
Technical Articles ID:
KB87096
Last Modified: 2023-05-09 05:39:44 Etc/GMT
Environment
Application and Change Control (ACC) 8.x
Data Exchange Layer 6.x, 5.x
Data Loss Prevention Endpoint 11.x
Endpoint Intelligence Agent 2.x
Endpoint Security (ENS) Firewall 10.x
ENS Platform (Common) 10.x
ENS Threat Prevention 10.x
ENS Web Control 10.x
Host Intrusion Prevention 8.0
Active Response 2.x
Agent 5.x
Threat Intelligence Exchange Module for VirusScan Enterprise (VSE) 1.x
VSE 8.8
Summary
Recent updates to this article
Date
Update
May 8, 2023
Added Microsoft Identity Verification Root Certificate Authority 2020 certificate.
March 9, 2023
Removed "McAfee" references.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Problem
You see any of the following issues when you try to install or upgrade a product:
Click to expand the section you want to view.
An installation or upgrade fails for any of the products listed in the "Environment" section of this article.
The failure can occur when you install or upgrade the basic ENS platform. This failure can also impact the installation or upgrade of any ENS platform modules.
The following errors are logged:
VSE VSEInst_xxxxxx_xxxxxx.log:
Error - SysCore install failed: 255
!> leave custom action Install_SysCore()
CustomAction Install_SysCore returned actual error code 1603 (NOTE: This code might not be 100% accurate if translation happened inside sandbox)
Fin de la acción 12:28:11: InstallExecute. Return value 3.
MSI (s) (98:70) [12:28:11:908]: Note: 1: 2265 2: 3: -2147287035
ERROR! Signature check failed
ValidateDocument: return=0 ERROR! While validating document
policy disable 0 service stopped 0 Returning 4294967295
ENS McAfee_Common_VScore_Install_date_time.log:
AAC is not installed. Err=-2146869243 ERROR! Failed to create AAC Control. Err=-2146869243
StartStopAllMMSServices: ERROR! MmsControlCreate failed with -2146869243
ENS McAfee_MfeEpAac_date_time.log:
VerifyParentEntryPointIsMcAfeeSigned: VerifyProcess PID[2340] LastErr 0x80096005 The time stamp signature or certificate could not be verified or is malformed.
LastErr 0x80096005 The time stamp signature or certificate could not be verified or is malformed.
ENS McAfee_Common_Bootstrapper_date_time.log:
Running application to gain installer exclusion failed: 2148098053
Gain installer exclusion through mfeEpAAC MFEPROTECT failed
Trying to gain installer exclusion now by mfeEpAAC protected with MFEINSTALL
Extracting MfeEpAac.exe: C:\Windows\TEMP\MfeEpAac.exe
Extraction successful
This is a 64-bit system
"C:\Windows\TEMP\MfeEpAac.exe" -add -rootlocation "C:\Program Files\McAfee\Endpoint Security" -rootlocation "C:\Program Files (x86)\McAfee\Endpoint Security" -folder "C:\ProgramData\McAfee\Endpoint Security"
PROCESS return code: 3221225506 Running application to gain installer exclusion failed: 3221225506
NOTE:Error codes 0x80096005 and -2146869243 translate to TRUST_E_TIME_STAMP. The time stamp signature or certificate couldn't be verified or is malformed. Failure to validate certificate information causes this error.
ENS Setupapi.dev.log:
sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE.EN_US} 15:24:26.278
inf: Opened INF: 'C:\windows\System32\DriverStore\Temp\{0e190d7e-0a4d-0593-f0cf-a3732f126723}\mfenlfk.inf' ([strings])
sig: {_VERIFY_FILE_SIGNATURE.EN_US} 15:24:26.285
sig: Key = mfenlfk.inf
sig: FilePath = C:\windows\System32\DriverStore\Temp\{0e190d7e-0a4d-0593-f0cf-a3732f126723}\mfenlfk.inf
sig: Catalog = C:\windows\System32\DriverStore\Temp\{0e190d7e-0a4d-0593-f0cf-a3732f126723}\mfenlfk.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 15:24:26.370
sig: {_VERIFY_FILE_SIGNATURE.EN_US} 15:24:26.370
sig: Key = mfenlfk.inf
sig: FilePath = C:\windows\System32\DriverStore\Temp\{0e190d7e-0a4d-0593-f0cf-a3732f126723}\mfenlfk.inf
sig: Catalog = C:\windows\System32\DriverStore\Temp\{0e190d7e-0a4d-0593-f0cf-a3732f126723}\mfenlfk.cat
! sig: Verifying file against specific Authenticode(tm) catalog failed! (0x800b010a)
! sig: Error 0x800b010a: A certificate chain could not be built to a trusted root authority.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b010a)} 15:24:26.376
!!! sto: An unexpected error occurred while validating driver package. Assuming that driver package is unsigned. Catalog = mfenlfk.cat, Error = 0x800B010A
!!! sto: Driver package is considered unsigned.
!!! ndv: Driver package failed signature validation. Error = 0xE0000247
sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0xe0000247)} 15:24:26.377
!!! sto: Driver package failed signature verification. Error = 0xE0000247
!!! sto: Failed to import driver package into Driver Store. Error = 0xE0000247
sto: {Stage Driver Package: exit(0xe0000247)} 15:24:26.379
!!! sto: Failed to stage driver package to Driver Store. Error = 0xE0000247, Time = 936 ms
sto: {Import Driver Package: exit(0xe0000247)} 15:24:26.382
inf: Opened INF: 'C:\windows\TEMP\{432DB9E4-6388-432F-9ADB-61E8782F4593}\mpt_install_base\x64\mfenlfk.inf' ([strings])
! inf: Add to Driver Store unsuccessful
! inf: Error 0xe0000247: A problem was encountered while attempting to add the driver to the store.
!!! inf: returning failure to SetupCopyOEMInf
A VSE 8.8 patch upgrade fails to install and the rollback mechanism also fails. This failure leaves a corrupt installation of VSE on the system. It also leaves the Validation Trust Protection Service in a stopped state, and the VSE OnAccessScanner service disabled.
Errors are recorded in the VSE installation logs (C:\Windows\Temp\McAfeeLogs):
VSE VSE88_Patch_xxxxxx_xxxxxx.log:
>> Installing SysCore: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\x64\mfehidin.exe" -i VSE88P7 -q -mfetrust_killbit -l "C:\Windows\TEMP\McAfeeLogs\vse8.8.0.core_install_041416_090556.log" -etl "C:\Windows\TEMP\McAfeeLogs\vse8.8.0.core_install_041416_090556.etl" -x vse.xml OAS ELAM AAC DiskFilter firecore_driver EmailScan ScriptScan !> Error - SysCore install failed: 255
<= leave custom action Install_SysCore_Patch()
CustomAction Install_SysCore_Patch returned actual error code 1603 NOTE: The above code might not be 100% accurate if translation happened inside sandbox.
MSI (s) (DC:14) [09:06:35:968]: User policy value 'DisableRollback' is 0
MSI (s) (DC:14) [09:06:35:968]: Machine policy value 'DisableRollback' is 0
VSE Vse8.8.0.core_install_xxxxxx_xxxxxx.log:
GetAccessAndDeleteFile: FileDelete(C:\Program Files (x86)\Common Files\McAfee\SystemCore\mcvssnmp.dll) failed with error 5
GetAccessAndDeleteFile: FileDelete(C:\Program Files (x86)\Common Files\McAfee\SystemCore\mcvssnmp.dll.a5a7.deleteme) failed with error 2
A VSE 8.8 patch management extension upgrade fails with the following message in the Orion.log file (..\Program Files(x86)\McAfee\ePolicy Orchestrator\Server\Conf\Orion):
BUILD FAILED
D:\PROGRA~1\McAfee\EPOLIC~1\server\extensions\installed\VIRUSCAN8800\8.8.0.448\install.xml:78: com.mcafee.orion.core.cmd. CommandException: APPolicyMigrateCommand: Failed to create AP config
A certificate validation error causes the above issue when it creates the APConfig object. The product can't validate the involved DLL certificates. So, it can't create the APConfig object to update the policy.
The fields for Categories and Rules contain no data in VSE Access Protection policies. The issue occurs after you upgrade the VSE 8.8 patch extensions.
The fields for Rules contain no data in the VSE Access Protection policies. The issue occurs after you upgrade the VSE 8.8 Patch extensions.
Updates that use the nnnnxdat.exe(V2) or V3_nnnndat.exe (V3) package fail when one or more of the root certificates is missing.
The following error is found in the core installation log:
Warning: Certificate <CERTIFICATE_NAME> - not found in Root
The product core installation log contains errors similar to the below examples:
NOTE:The certificate name might differ in the core installation log.
ACC mac_mpt.log:
[09:14:16:612] - Total 1 Warning Value present
Code [0x60001100] : A required certificate couldn't be located in certificate store.
Total 1 Error Value present Code [0x20005011] : Internal error has occurred during installation.
Warning: Certificate UTN-USERFirst-Object - not found in Root.
Warning: Certificate GlobalSign Root CA - R1 - not found in Root. Exit code will be 4294967295
VSE VSEInst_<date_time>.log:
Warning: Certificate UTN-USERFirst-Object - not found in Root.
RecordActionCode: Action Result 1 Category 1 Message 16 (Final 0x60001100). Warning: Certificate GlobalSign Root CA - R1 - not found in Root.
LoadElamPplCerts: Ensure PPL certificates are loaded in the OS
StartStopMFeServices: stopping
StartStopAllMMSServicesExceptVTP: start=false
StartStopAllMMSServicesExceptVTP: ERROR! MmsControlCreate failed with -2146762486
StartStopAllMMSServicesExceptVTP: exit=0
ERROR: StartStopMfeServices: failed to stop services...
StartStopMFeServices: return=0
ERROR! while stopping services.
Cause
One or more of the following certificatesare missing:
Root certificates:
AAA Certificate Services (2028)
AddTrust External CA Root (2020)
DigiCert Assured ID Root CA (2031)
GlobalSign (2029)
GlobalSign Code Signing Root R45 (2045)
GlobalSign Root CA (2028)
Microsoft Code Verification Root (2025)
Microsoft Identity Verification Root Certificate Authority 2020 (2045)
The latest binaries have been signed with updated SHA-256 certificates. These root certificates are needed to validate the digital signatures. Microsoft distributes these certificates as part of the Microsoft Trusted Root Program.
The reasons for the missing root certificates include, but aren't limited to the following:
The administrator removes the certificate from the system.
The system doesn't have internet connectivity, which is needed to perform a Root AutoUpdate (automatic root update).
The group policy in effect prevents the root certificate update when the registry values below are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is set to 1.
HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is set to 1.
NOTE: Some root certificates listed above have expired. These root certificates are needed for backward compatibility. Expired certificates that aren't revoked can still be used to validate anything signed before their expiration. For more details, see this Microsoft article.
Solution
Use the following solutions to resolve the missing certificate issue.
Click to expand the solution you want to view.
Import the certificates that are needed to validate the digital signatures. After you install the certificates, verify that the product installs or upgrades successfully.
Install the missing root certificates in the physical Third-Party Trusted Root Certification Authorities store:
AAA Certificate Services
AddTrust External CA Root
DigiCert Assured ID Root CA
GlobalSign, GlobalSign Code Signing Root R45, and GlobalSign Root CA
Microsoft Code Verification Root
USERTrust RSA Certification Authority
UTN-USERFirst-Object
Verisign Class 3 Public Primary Certification Authority - G5, and Verisign Universal Root Certification Authority)
Install the missing Intermediate Certification Authorities certificates in the physical Intermediate Certification Authoritiesstore:
AddTrust External CA Root
COMODO RSA Code Signing CA
DigiCert SHA2 Assured ID Timestamping CA
GlobalSign, GlobalSign Code Signing Root R45, GlobalSign CodeSigning CA - G3, GlobalSign CodeSigning CA - SHA256 - G3, GlobalSign GCC R45 CodeSigning CA 2020, and GlobalSign Root CA
McAfee Code Signing CA 2, McAfee OV SSL CA 2
Trust External CA Root
USERTrust RSA Certification Authority (2028)
Verisign Class 3 Code Signing 2010 CA)
Option 1 - Install the certificates using the Active Directory (AD) group policy
We recommend that you install the certificates using the AD group policy for wide deployment. For information about how to deploy registry changes using group policy, see the Microsoft article Configure a Registry Item.
Option 2 - Install the certificates directly on the system
If you have a single system or only a few systems, you can use one of the following files (.bat file or .reg file) to install the certificates directly on the system. Or, you can install the certificates remotely using any appropriate administrative deployment method.
To install the certificates:
Download the file 2022_Certificates.bat.txtin the "Attachment" section of this article. Rename the file to 2022_Certificates.bat and run it.
Or
Download the file 2022_Certificates.reg.txtin the "Attachment" section of this article. Rename the file to 2022_Certificates.reg and import it.
Option 3 - Install the certificates using ePolicy Orchestrator (ePO)
Use the ePO Endpoint Deployment Kit package CERTEEDK1000.zip in the "Attachment" section of this article.
Address the issue that prevents the automatic update of root certificates on the system.
Microsoft allows the administration of root certificate stores though several group policy objects and automatic updates. The administration of certificate stores isn't within the scope of Technical Support.
Use the following solution only if the group policy prevents the root certificate update:
CAUTION: This article contains information about opening or modifying the registry.
The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Do not run a REG file that is not confirmed to be a genuine registry import file.
Change the registry value forHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate from 1 to 0.
NOTE:If you're making this change using the group policy for wide deployment, the Group Policy Object for this setting is at Computer Configuration, Administrative Templates, System, Internet Communication Management,Internet Communication settings, Turn off Automatic Root Certificates Update. Change Turn off Automatic Root Certificates Updatefrom Enabled to Disabled.
Press Windows+R, type regedit, and click OK.
Navigate to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate.
Change the value from 1 to 0.
Exit the registry editor.
If present, remove the registry key ProtectedRoots, which is at HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots:
Press Windows+R, type regedit, and click OK.
Navigate to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root.
Right-click ProtectedRoots, click Export, and choose a location in which to save a backup copy.
Right-click ProtectedRoots, click Delete, and click Yes when prompted.
Exit the registry editor.
Related Information
See the Microsoft webpage for how to use the Certutil.
