When installing a Windows DCS 6.7.x agent, the installer attempts to copy cacert files to %temp% and the install rolls back.
You have followed the instructions in the following technote, but the install still fails.
You may see a Windows 1603 error code at the bottom of the agentinstall.log located in the %temp% directory. Known MSI errors: MSI (s) (A4:44) [14:26:11:691]: Executing op: ActionStart(Name=efainst_install.C1599C28_9DB3_446E_AC61_80DD180FF696,Description=Registering with SymEFA.,) Action 14:26:11: efainst_install.C1599C28_9DB3_446E_AC61_80DD180FF696. Registering with SymEFA. MSI (s) (A4:44) [14:26:11:707]: Executing op: CustomActionSchedule(Action=efainst_install.C1599C28_9DB3_446E_AC61_80DD180FF696,ActionType=3073,Source=BinaryData,Target=EFAInstall,CustomActionData="C:\Program Files (x86)\Symantec\Data Center Security Server\Agent\IPS\bin\EFAInst.exe" "SYMEFA-CSP" /install /KeepDriverRunning) MSI (s) (A4:08) [14:26:11:722]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI2C91.tmp, Entrypoint: EFAInstall EFAINST_TRACE [14:26:11:816]: --> Starting ValidateCurrentProcess... EFAINST_TRACE [14:26:11:832]: ValidateCurrentProcess (86) - Initializing verify trust... EFAINST_TRACE [14:26:11:832]: ValidateCurrentProcess (103) - Get current process info... EFAINST_TRACE [14:26:11:847]: ValidateCurrentProcess (107) - Check process path... EFAINST_TRACE [14:26:11:847]: ValidateCurrentProcess (127) - Validate process path... EFAINST_TRACE [14:26:12:004]: ValidateCurrentProcess (136) - Process path validated EFAINST_TRACE [14:26:12:019]: <-- ValidateCurrentProcess ended EFAINST_TRACE [14:26:12:019]: --> Starting ExecuteDeferredAction... EFAINST_TRACE [14:26:12:035]: --> Starting ExecuteCustomActionProperty... EFAINST_TRACE [14:26:12:035]: ExecuteCustomActionProperty (83) - Checking if file path exists... EFAINST_TRACE [14:26:12:035]: --> Starting Validate... EFAINST_TRACE [14:26:12:051]: Validate (46) - Initializing verify trust... EFAINST_TRACE [14:26:12:051]: Validate (63) - Verifying file path... EFAINST_TRACE [14:26:12:129]: Validate (68) - Couldn't successfully validate C:\Program Files (x86)\Symantec\Data Center Security Server\Agent\IPS\bin\EFAInst.exe. ccVTErrorType = 3 EFAINST_TRACE [14:26:12:144]: <-- Validate ended EFAINST_TRACE [14:26:12:144]: <-- ExecuteCustomActionProperty ended EFAINST_TRACE [14:26:12:160]: <-- ExecuteDeferredAction ended Action ended 14:26:12: InstallExecute. Return value 3.
The root CA certificate needs to be at least "VeriSign Class 3 Public Primary Certification Authority - G5". Generally, due to GPO, the agent machine can't get to the internet to download the new cacerts file. This causes the installer to fail, and roll back, as the Root CA certificates are needed to complete the install.
Give the agent machine in question internet access so the root CA certificate files can be downloaded during install.
Upgrade your version of Symantec Endpoint Protection to SEP 14.1, as the root CA certificate, VeriSign Class 3 Public Primary Certification Authority - G5, is available in that version.