Hi, and thank you! Yes, we do have the .reg file and .bat files. For some reason, when deploying the certs via GPO, they are not populating to the Third-Party trusted root store. (They are going into Trusted Root). Is it true that the GPO must be a "registry" GPO in order to place them in the correct certificate store? Thank you for the info on EEDK, I will try to use this as a last resort.

That is quite possible, I haven't tried using gpo for that.

Here is the wording from the KB article when posted on 5/31: Deploy the registry change for the Computer policy, not the User policy. Instead of using a Certificate group policy object, which puts the certificate in the wrong certificate store, use a Registry group policy to make the change directly to endpoint registries, which puts the certificate in the correct store. If I view that KB article today, it states: Deploy the registry change for the Computer policy, not the User policy. For example instructions on adding a certificate using group policy, see KB92948. I have an SR open with McAfee regarding clarification around what stores the certificates need to be in, but I have yet to receive a concrete answer. If we deploy via GPO, the first set of certs are installed in the Trusted Root store (McAfee says they should be in Third Party trusted root). If I run the .bat or .reg import they are installed in Third Party trusted root. I would prefer our environment be updated by GPO but I am unable to get clarification. Thanks for your help. 4-21292441511

I see some in both trusted root and 3rd party trusted root, so I am not sure if it is critical or not as to which one.  You can let your SR owner clarify that with dev.  Otherwise I can ask them on a call Wednesday with them.

That would be great if you could ask the question. Right now I am being told that if they exist in Trusted Root, it will be okay. However, that does not align with the KB article that specifically states they must exist in Third-Party root and Intermediate. I have asked that my SR be escalated for clarification. We are getting ready to roll out 10.7 and also perform upgrades to ENS 10.7 and I need to have these certs in their correct stores PRIOR to rolling out a large upgrade which is currently scheduled for 10/1. Any help is certainly much appreciated. Thanks!

I received confirmation from Technical Support that the certificates must exist in the Intermediate store (CA) and the Third-Party store (AuthRoot) according to KB article below:  

https://kc.mcafee.com/corporate/index?page=content&id=KB91697

 

The specific questions I asked were: 

1.  Can they exist in BOTH Trusted Root and Third-Party Root? 

Answer:  Technically, yes  (since Third-Party Root is a subset of the Trusted Root certification authorities, it should work fine) 

2.  Can they exist in Trusted Root ONLY (and not in Third-Party Root)?

Answer:  They did not say yes or no (I believe the answer is no).  Technical Support advises to follow best practice to ensure no issues are encountered.  They advise to follow the KB article and ensure the respective certificates are in the Third-Party Root store.