Thankyou this KB would have been most helpful, however I dont think it existed at the time of my OP 🙂 

Understood.  Just FYI, the Azure Code Signing requirement has been listed in the ENS 10.7 April 2023 Release Notes (both the original and Reposted versions), but we wanted to document the installation errors that can occur IF those Windows patches were not applied, so KB96488  was updated with the install log error messages.

https://docs.trellix.com/bundle/trellix-endpoint-security-10.7.x-release-notes/page/GUID-804A1BD4-F4...

Azure Cloud Signing

Azure Cloud Signing (ACS) is implemented in this release. To support ACS signing, Windows platforms require specific Microsoft updates to be applied prior to installing or updating to this release. For more information, see KB96488.

---

To add, the KB87096  article was updated for another Microsoft certificate requirement (e.g., the Microsoft Identity Verification Root Certificate Authority 2020 certificate).  If you auto-update your Root Certificates, it shouldn't be an issue though.

KB87096 - Product install or upgrade issues due to missing root certificates

I am sensing that, not only does the install fail, but it actually corrupts what is there. We now have many systems that either show blank or old ENS FW\Platform versions but also error on install with the message "Product(s) already running the latest version" for the platform and "Deployment/Update process encountered an unknown error" for the firewall. We are losing quick settings and product functionality.

---

@ktankink wrote:

... but we wanted to document the installation errors that can occur IF those Windows patches were not applied...

---

Possibly. one more effect with similar symptom: the SetupCC installer for Platform components was blocked by Windows 2022 Server with certain roles. Both for manual and ePO-supervised installation.

 The extended facts about issue found are provided below:

- Effect was found on servers with AD domain controller, PKI server, Terminal Licensing server roles. Other roles were unaffected (4 servers out of 20 have the issue).

- OS rejects the file run because of invalid driver (event 3004).

- However, the Defender Application Control is turned off.

- The attempt to set the OS Policy to allow any application to run - in vain.

- Microsoft Defender Antivirus was removed.

- SmartScreed was turned off.

- Additional security policies were revoked.

- An attempt to install KB87096 certificates was successful, but - in vain.

- No system errors registered.

- The OS patch for 2022 Server, mentioned in KB96488, still not tried (now we are investigating, which components might be superseded by actual OS patches).

- File SetupCC has one outdated certificate, however, other two and timestamp - are valid.

Thus, SetupCC was blocked by Windows Defender Application Control / WDAC, which is not turned on and active. 🙂 It looking the effect is not coupled with certificates, rather with impossibility to check the SetupCC 'internal driver' validity.

Solution or Workaround still not found.

Yes, the KB5005619, mentioned in KB96488 document, was effective in Server 2022 environment as well. After it roll-up and OS reboot, the setupCC was not blocked, thus, the "Platform" deployed successfully.