cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 8
Report Inappropriate Content
Message 1 of 4

"new required" Certificates missing from PCs

Hi,

As part of a ticket we have open the McAfee technician pointed us to this article to check whether or not certificates were installed on our PCs. https://kc.mcafee.com/corporate/index?page=content&id=KB91697 The article seems to indicate that the certificates are NOT automatically distributed while at the same time blaming users for not already having the certificates installed already.

Which is the definition of madness.

Can anyone actually indicate whether or not on Windows 10 1909 in a normal working environment that these certificates should be present or not?  What I am trying to figure out is if Windows should already have them or if it is always required to manually install them.

By the way, the way that McAfee recommends that you check for the presence of the certificates is ridiculously tedious. You can do it this way in 1 second.

Get-ChildItem Cert:\ -Recurse | findstr 02FAF3E291435468607857694DF5E45B68851868
Get-ChildItem Cert:\ -Recurse | findstr A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Get-ChildItem Cert:\ -Recurse | findstr B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Get-ChildItem Cert:\ -Recurse | findstr D69B561148F01C77C54578C10926DF5B856976AD
Get-ChildItem Cert:\ -Recurse | findstr 0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71
Get-ChildItem Cert:\ -Recurse | findstr 090D03435EB2A8364F79B78CB173D35E8EB63558
Get-ChildItem Cert:\ -Recurse | findstr F1E7B6C0C10DA9436ECC04FF5FC3B6916B46CF4C
Get-ChildItem Cert:\ -Recurse | findstr CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32
Get-ChildItem Cert:\ -Recurse | findstr F1E7B6C0C10DA9436ECC04FF5FC3B6916B46CF4C
Get-ChildItem Cert:\ -Recurse | findstr B1BC968BD4F49D622AA89A81F2150152A41D829C
Get-ChildItem Cert:\ -Recurse | findstr 17661DFBA03E6AAA09142E012D216864F01D1F5E
Get-ChildItem Cert:\ -Recurse | findstr 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Get-ChildItem Cert:\ -Recurse | findstr EAB040689A0D805B5D6FD654FC168CFF00B78BE3
Get-ChildItem Cert:\ -Recurse | findstr 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Get-ChildItem Cert:\ -Recurse | findstr E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Get-ChildItem Cert:\ -Recurse | findstr 495847A93187CFB8C71F840CB7B41497AD95C64F
Get-ChildItem Cert:\ -Recurse | findstr 3679CA35668772304D30A5FB873B0FA77BB70D54

I have attached the XML file required to import the missing certificates to the registry via GPO (which McAfee I guess decided not to supply for some reason) incase anyone else is dealing with this problem. I just took the .reg file from the URL above and converted it into XML.

I still have NO IDEA what problem McAfee thinks the missing certificates are causing but for some reason the technician really wanted me to install these certificates.

 

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: "new required" Certificates missing from PCs

Hi @enxl ,

In a regular Windows 10 1909 environment, the certificates WILL be present. The Windows root certificate autoupdate feature is enabled by default, and will handle the automatic installation of these root certificates as long as the system has access to the internet.

If you PM me your service request number I can give you a more detailed explanation as to the specific reason why you're being asked to install these certificates. The main reason behind needing these certificates, however, is that we have been progressively updating the certificate with which we sign our product's executables. This new certificate's chain ends at a newer root certificates, which are not always present on all systems, especially those that either have the rootautoupdate feature disabled by GPO or do not have direct internet access.

Hopefully this helps.

Thanks,

Thank you,
Mitchell Buehler

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Level 8
Report Inappropriate Content
Message 3 of 4

Re: "new required" Certificates missing from PCs

Hello,

To follow up on your claim that these certificates should exist on Windows 10 1909:

I ran this command to generate a freshly updated SST file.

CertUtil -generateSSTFromWU RootStore.sst

I then double clicked on it and went to the store, Find Certificates -> and selected the .SST file in "Find IN"

I searched for the SHA1 for several of the certificates and the ones that were missing from my PC were also missing from Windows' SST file. For example if you search for A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250 it is not in the store.

So how exactly would those certificates pre-exist on a Windows machine if they are not in Microsoft's repository? Where are they "supposed" to be coming from?

According to my research these certificates will ALWAYS be missing from Windows unless they are manually installed:

Get-ChildItem Cert:\ -Recurse | findstr A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Get-ChildItem Cert:\ -Recurse | findstr 0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71
Get-ChildItem Cert:\ -Recurse | findstr 090D03435EB2A8364F79B78CB173D35E8EB63558
Get-ChildItem Cert:\ -Recurse | findstr F1E7B6C0C10DA9436ECC04FF5FC3B6916B46CF4C
Get-ChildItem Cert:\ -Recurse | findstr CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32
Get-ChildItem Cert:\ -Recurse | findstr F1E7B6C0C10DA9436ECC04FF5FC3B6916B46CF4C
Get-ChildItem Cert:\ -Recurse | findstr 17661DFBA03E6AAA09142E012D216864F01D1F5E
Get-ChildItem Cert:\ -Recurse | findstr 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Get-ChildItem Cert:\ -Recurse | findstr EAB040689A0D805B5D6FD654FC168CFF00B78BE3

please correct me if I am wrong.

Highlighted
Level 8
Report Inappropriate Content
Message 4 of 4

Re: "new required" Certificates missing from PCs

We have the exact same issue right now. McAfee is telling us that we miss root certificates, but if you look into https://docs.microsoft.com/en-us/security/trusted-root/participants-list the certificates McAfee says should be present, are not in the trusted root program anymore, most likely because they are old SHA-1 certificates and SHA-1 is on it´s way out. 

Our theory is that McAfee has used old certificates to sign their code, and need to update the signing instead of asking customers to have old SHA-1 cerficates present.

Kim M. Bruun
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community