After upgrading Symantec Endpoint Protection Manager to version 14.3 RU1, LiveUpdate stops working properly.

This issue may be caused by at least two different root causes.

1. Microsoft Windows has out of date root certificates.
2. The Symantec Endpoint Protection Manager communicates through a proxy that has a custom SSL certificate assigned.

To resolve this issue, first ensure that Microsoft Windows has the latest root certificates installed. Root certificates are normally updated via Windows Update, but may also be updated using other methods. Digicert root certificates can also directly downloaded from here:

https://www.digicert.com/kb/digicert-root-certificates.htm

If a proxy is in use, and the proxy uses custom SSL certificates, you may need to add certificate information to your trusted root certificate store by following the instructions below.

Before following the steps below, you will need to determine how the SSL certificate for your proxy server was created and/or signed.

If the SSL certificate was signed by a CA certificate, you will want to import the signing CA certificate. If the SSL certificate is instead signed by an intermediate CA certificate, you will want to import the intermediate CA certificate. If the SSL certificate is self-signed, you will want to import the self-signed certificate itself.

1. Obtain the certificate that you need to import, as indicated above, and copy it to a convenient location on the computer that is running the Symantec Endpoint Protection Manager software.
2. Launch the Microsoft Management Console: Start -> Run -> mmc.exe
3. Click on "File -> Add/Remove Snap-in".
4. Click on the "Certificates" snap-in in the list of "Available snap-ins" to highlight it, then click on the "Add" button.
5. Check the radio button next to "Computer account", then click on the "Next" button.
6. Ensure the radio button next to "Local computer" under the "This snap-in will always manage" is checked, then click on the "Finish" button.
7. Click on the "OK" button to finish adding the snap-in to the console.
8. Expand "Certificates (Local Computer)" on the left pane by clicking on the right-facing arrow symbol.
9. Right-click on "Trusted Root Certification Authorities" on the left pane, then click on "All Tasks -> Import..."
10. Click on the "Next" button, then click on the "Browse..." button to browse to the SSL certificate for your proxy server, highlight the file in the "Open" dialogue to choose it for import, then click on the "Open" button, then click on the "Next" button.
11. Ensure the radio button next to "Place all certificates in the following store" is checked, and that "Trusted Root Certification Authorities" is listed in the text box under the "Certificate store" label, then click on the "Next" button.
12. Click on the "Finish" button to complete the certificate import process.

Lux.log will show the following error:

12:30:37.650755  Result Message: FAIL - failed to select server
12:30:37.651756  [Server - START]
12:30:37.652755   Host ID: {A5613BB9-8F7A-4F34-A3CA-B1A50644A6AE}
12:30:37.654755   Status Code: 1
12:30:37.654755   Status Message: Server was not selected
12:30:37.655755   Transport Return Code: 0x80010731
12:30:37.656755   Transport Return Message: FAIL - download failed
12:30:37.657755   Protocol: HTTPS
12:30:37.657755   Hostname: liveupdate.symantecliveupdate.com
12:30:37.658755   Port: 443
12:30:37.659755   Path: 
12:30:37.662755   Proxy ID: {00000000-0000-0000-0000-000000000000}
12:30:37.675754   Proxy Bypass: false
12:30:37.676755  [Server - END]

Debug logging for Symantec Endpoint Protection Manager's LiveUpdate process will reference either of the following errors depending on which certificate is untrusted:

TRACE_DEBUG : TRACE_LEVEL_ERROR : lux::CCurlTransport::DownloadFile : curlTransport_cpp695 :Failed to download file: error 60, SSL certificate problem: unable to get local issuer certificate

or

TRACE_DEBUG : TRACE_LEVEL_ERROR : lux::CCurlTransport::DownloadFile : curlTransport_cpp695 :Failed to download file: error 60, SSL certificate problem: self signed certificate in certificate chain