The installation of the Symantec Endpoint Protection (SEP) client fails with a certificate error. Additionally, if you try to use Cleanwipe tool to remove the installation, it also fails.
The computer has not updated the appropriate root certificates and therefore cannot validate the Symantec Endpoint Protection binaries. For example, this issue can occur:
To fix this issue, update the root certificates on the computer. If the computer has internet access, launch Windows Update. The download and installation of the updated root certificates occurs automatically in the background. You do not need to take additional action.
If the computer does not have internet access, use the process below to download then install the necessary files. Multiple certificates are required to properly validate the Symantec Endpoint Protection binaries.
Note: If the required certificates are missing, Symantec Endpoint Protection installs the certificates during installation instead of prompting you to install them. Due to certificate updates the issue may persist in 14.3 RU4 or 14.3 RU5. 14.3 RU5 P1, and 14.3 RU6 correct this issue.
The Windows interface for adding certificates may look slightly different depending on your version of Windows. Symantec Technical Support does not officially support this process; these instructions are provided for your convenience.
Process to update the necessary root certificates manually:
I. Download the necessary certificates.
II. Add the Certificate snap-in, if needed.
III. Install the Symantec Class 3 Public Primary Certification Authority - G5 certificate.
IV. Install the Symantec Class 3 Code Signing 2010 CA certificate.
V. Install the DigiCert Trusted Root G4 certificate
I. To download the necessary root certificates:
II. To add the Certificate snap-in:
III. To install the Symantec Class 3 Public Primary Certification Authority - G5 certificate:
The Certificate Import Wizard should report success.
IV. To install the Symantec Class 3 Code Signing 2010 CA certificate:
The Certificate Import Wizard should report success
V. To Install the DigiCert Trusted Root G4 certificate using the following steps:
The Certificate Import Wizard should report success.
It may also be necessary to delete one or more Symantec/Verisign certificates in the "Untrusted Certificates" folder that display the following error upon review of the actual root certificate "This certificate has been revoked by its certification authority" before following the steps above. When you discover that one of the certificates shows up as 'revoked' even though Symantec/Versign did not revoke the certificates, it typically means that the certificate was either moved or copied to the "Untrusted Certificates" store on the local machine.
14.3 RU8 requires Microsoft Azure Code Signing (ACS) support. To correctly verify modules signed by Azure Code Signing, computers are required to have the "Microsoft Identity Verification Root Certificate Authority 2020" certificate authority (CA) installed.