Hi McAfee Community,
One of our customers is having issues installing ENS 10.6.1 on a Windows Server 2008 R2 VM.
It fails to install or upgrade from ePO (v5.9.1). We saw an error - Trust Verification failed in one of the logs, the Status Monitor if memory serves me correct.
The customer completely removed all McAfee products using the Endpoint Removal Tool and started from scratch - McAfee Agent 22.214.171.124 installed without issue.
When the customer attempts the Install locally, using the Standalone ENS Package by running SetupEP.exe as an Administrator it appears to do nothing whatsover. No CPU activity, no errors, nada.
We checked the local logs in %temp%\McAfeeLogs and found these lines in the McAfee_MfeEpAac_date/time.log which is suggesting that missing root and/or intermediate certificates on the server may be the cause.
01-08 08:24:14  VTP LazyInit, LastErr 0x800b0109 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
01-08 08:24:14  Found C:\Windows\syswow64\WINTRUST.dll
01-08 08:24:14  Found C:\Windows\syswow64\CRYPT32.dll
01-08 08:24:14  Found C:\Windows\syswow64\MSASN1.dll
01-08 08:24:14  Parent is not Installer, LastErr 0x800b0109 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
01-08 08:24:14  VerifyParentEntryPointIsMcAfeeSigned: VerifyProcess PID LastErr 0x800b0109 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
01-08 08:24:14  Parent is not McAfee, so install cannot contiune
01-08 08:24:14  Exit: LastErr 0x800b0109 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Has anyone else seen or experienced this kind of error? I'd be interested to hear from you!
Your best bet for a starting point based on the info you've provided will be to check out the workaround in this KB for installing the needed root certs: https://kc.mcafee.com/corporate/index?page=content&id=KB91697
Thank you for your post! I am sure @mbuehler has already provided you the solution. Most of the time we find the root cause to be this:
The group policy in effect prevents the root certificate update:
Please check if this is true in your case as well!
Indeed, that seems to be the most likely cause, so I'm waiting to hear back from the customer now that I've explained what I found and what the solution to be.
Thanks! As soon as I hear back I'll give some kudos and Accept as Solution 😉
Many thanks for your responses!
The customer responded to say he has checked on the system in question and the two registry keys referenced do not exist (listed below for convenience).
He also located the Certification Authorities and found they already have a good number of root certificates, as seen below:
and also Third-Party Root...
Is there something we're missing at all? It all appears to be in order.
Look forward to hearing from you!
Hi guys & girls,
Having taken closer look at the screenshots and also noting the specific entries from the KB91697 I could only locate one of the certs from the Third-Party Root Certification Authority list - UTN-UserFirst-Object although it expired in July 2019 and one from the Intermediate Certification Authorities - COMODO RSA Code Signing CA which was still valid.
So they will need to acquire and import all of the missing certs?
Thanks for your help, guys!
Yes, please ensure the clients have those updated certs installed. All of them are required otherwise the installation is likely to fail. Amongst other things we need these certs to perform vital validation look ups and therefore these need to be present on the machine.
Thanks again, having checked the list there's a total of 12 certificates required and of those the customer has 4 present on the system however one has already expired (July 2019, the UTN-USERFirst-Object one) and one expires in February this year (Verisign Class 3 CodeSigning 2010 CA) so effectively they need to import ten certificates!
Can I just ask a question about the two files listed at the bottom of the KB article 91697? Am I correct is saying that the .bat file creates the required registry keys and the .reg file imports the actual registry values?
That is absolutely correct! You only need one of them to get the job done for you!