cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Nick_B
Level 11
Report Inappropriate Content
Message 1 of 14
‎01-13-2020 11:37 AM

Endpoint Security 10.6.1 Fails to Install

Hi McAfee Community,

One of our customers is having issues installing ENS 10.6.1 on a Windows Server 2008 R2 VM.

It fails to install or upgrade from ePO (v5.9.1). We saw an error - Trust Verification failed in one of the logs, the Status Monitor if memory serves me correct.

The customer completely removed all McAfee products using the Endpoint Removal Tool and started from scratch - McAfee Agent 5.6.2.209 installed without issue.

When the customer attempts the Install locally, using the Standalone ENS Package by running SetupEP.exe as an Administrator it appears to do nothing whatsover. No CPU activity, no errors, nada.

We checked the local logs in %temp%\McAfeeLogs and found these lines in the McAfee_MfeEpAac_date/time.log which is suggesting that missing root and/or intermediate certificates on the server may be the cause.

01-08 08:24:14 [03040] VTP LazyInit, LastErr 0x800b0109 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
01-08 08:24:14 [03040] Found C:\Windows\syswow64\WINTRUST.dll
01-08 08:24:14 [03040] Found C:\Windows\syswow64\CRYPT32.dll
01-08 08:24:14 [03040] Found C:\Windows\syswow64\MSASN1.dll
01-08 08:24:14 [03040] Parent is not Installer, LastErr 0x800b0109 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
01-08 08:24:14 [03040] VerifyParentEntryPointIsMcAfeeSigned: VerifyProcess PID[2720] LastErr 0x800b0109 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
01-08 08:24:14 [03040] Parent is not McAfee, so install cannot contiune
01-08 08:24:14 [03040] Exit: LastErr 0x800b0109 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Has anyone else seen or experienced this kind of error? I'd be interested to hear from you!

Many thanks,

Nick

 

1 person had this problem.
0 Kudos
Reply
13 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 14
‎01-13-2020 11:41 AM

Re: Endpoint Security 10.6.1 Fails to Install

Hi @Nick_B 

Your best bet for a starting point based on the info you've provided will be to check out the workaround in this KB for installing the needed root certs: https://kc.mcafee.com/corporate/index?page=content&id=KB91697

Thank you,

Reply
Nick_B
Level 11
Report Inappropriate Content
Message 3 of 14
‎01-13-2020 12:21 PM

Re: Endpoint Security 10.6.1 Fails to Install

Hi,

Thanks - I'll be sure to check out that KB and let you know how it went!

Nick

0 Kudos
Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 4 of 14
‎01-14-2020 12:18 AM

Re: Endpoint Security 10.6.1 Fails to Install

Hi @Nick_B,

Thank you for your post! I am sure @Former Member has already provided you the solution. Most of the time we find the root cause to be this:

The group policy in effect prevents the root certificate update:

  • The registry value HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is set to 1.
  • The registry key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots exists.

Please check if this is true in your case as well!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
Nick_B
Level 11
Report Inappropriate Content
Message 5 of 14
‎01-14-2020 01:44 AM

Re: Endpoint Security 10.6.1 Fails to Install

Hello again,

Indeed, that seems to be the most likely cause, so I'm waiting to hear back from the customer now that I've explained what I found and what the solution to be.

Thanks! As soon as I hear back I'll give some kudos and Accept as Solution 😉

Reply
Nick_B
Level 11
Report Inappropriate Content
Message 6 of 14
‎01-14-2020 05:24 AM

Re: Endpoint Security 10.6.1 Fails to Install

Hi guys,

Many thanks for your responses!

The customer responded to say he has checked on the system in question and the two registry keys referenced do not exist (listed below for convenience).

  • HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate 
  • HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots 

He also located the Certification Authorities and found they already have a good number of root certificates, as seen below:

Trusted Root Certification AuthoritiesTrusted Root Certification Authorities

Intermediate Certification AuthoritiesIntermediate Certification Authorities

and also Third-Party Root...

Third-Party Root Certification AuthoritiesThird-Party Root Certification Authorities

Is there something we're missing at all? It all appears to be in order.

Look forward to hearing from you!

Nick

0 Kudos
Reply
Nick_B
Level 11
Report Inappropriate Content
Message 7 of 14
‎01-14-2020 05:47 AM

Re: Endpoint Security 10.6.1 Fails to Install

Hi guys & girls,

Having taken closer look at the screenshots and also noting the specific entries from the KB91697 I could only locate one of the certs from the Third-Party Root Certification Authority list - UTN-UserFirst-Object although it expired in July 2019 and one from the Intermediate Certification Authorities - COMODO RSA Code Signing CA which was still valid.

So they will need to acquire and import all of the missing certs?

Thanks for your help, guys! 

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 8 of 14
‎01-14-2020 05:49 AM

Re: Endpoint Security 10.6.1 Fails to Install

Hey @Nick_B 

Yes, please ensure the clients have those updated certs installed. All of them are required otherwise the installation is likely to fail. Amongst other things we need these certs to perform vital validation look ups and therefore these need to be present on the machine. 

0 Kudos
Reply
Nick_B
Level 11
Report Inappropriate Content
Message 9 of 14
‎01-14-2020 07:01 AM

Re: Endpoint Security 10.6.1 Fails to Install

Hiya,

Thanks again, having checked the list there's a total of 12 certificates required and of those the customer has 4 present on the system however one has already expired (July 2019, the UTN-USERFirst-Object one) and one expires in February this year (Verisign Class 3 CodeSigning 2010 CA) so effectively they need to import ten certificates!

Can I just ask a question about the two files listed at the bottom of the KB article 91697? Am I correct is saying that the .bat file creates the required registry keys and the .reg file imports the actual registry values?

Many thanks,

Nick

Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 10 of 14
‎01-14-2020 07:03 AM

Re: Endpoint Security 10.6.1 Fails to Install

Hi @Nick_B,

That is absolutely correct! You only need one of them to get the job done for you!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC