14.3 RU1 Manager upgrade fails the SQL Express Migration precheck when the certificate is not actually expired.


Article ID: 210426


Updated On:


Endpoint Protection


When attempting to upgrade an Endpoint Protection Manager (SEPM) using an embedded database to 14.3 RU1 or later, the upgrade fails with the following warning: 

This upgrade fails even though the SEPM has enough disk space and the certificate is not about to expire. 


The upgrade runs the following Powershell command to determine when the SEPM's certificate is about to expire:

New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "C:\Users\...\server.crt" | Format-List

If the date format the Powershell command outputs for the expiration date is not in month/day/year format, the certificate expiration will be read incorrectly.  For example:

NotBefore    : 03/04/2020 21:00:00
NotAfter     : 02/05/2021 20:59:59

If these dates are supposed to be April 4th and May 2nd, then the upgrade will fail because the powershell command is providing the date in an unexpected format.  The upgrade will read the certificate expiration as February 5th and not May 2nd. 


Symantec is currently investigating this issue. 

Additional Information