During the install of a Symantec Endpoint Protection Manager (SEPM) and or Symantec Endpoint Protection (SEP) Client onto a machine with an older installed Symantec Endpoint Protection Client that has no access to the internet you receive the following error:

The installer integrity check failed with error code 0x800b0004.  Common causes for this failure include and incomplete download, damaged media, or problems with the Trusted Root certificate store.

All versions of Windows 7,10,11 and Server 2012, 2016, 2019, and 2022.

The root cause is the currently installed SEP client inspected the Symantec Endpoint Protection Manager and or Symantec Endpoint Protection client code signing certificates and failed to validate them using a private SEP client container CERT store in a file called SYMVTCER.DAT located in the SEP client file system.

This causes an MSI error very similar to a ‘Certificate Look Up’ failure or a failed Certificate Revocation Lookup resulting in a generic ‘untrusted verdict’ for software attempting to be installed.  This untrusted verdict will appear as an MSI entry and not a SEP Client entry in the CAPI2 event log or any applications log.

This untrusted verdict will fail the install even if the Windows GPO is set to not inspect new software installs for revoked certificates.

Update the SYMVTCER.DAT files in use by the out of date SEP client on the failing device:

The files in this issue cannot be moved, or updated manually.  They are only updated in one of three ways:
1- Run liveupdate to the public Liveupdate servers
2- Run liveupdate to a internally hosted Liveupdate Administrator that is itself running liveupdate to the public internet Liveupdate servers.  
3- Connect to a Symantec Endpoint Protection Manager that is updating directly from the public internet or a Liveupdate Administrator that is updating directly from the internet.

JDB updates and intelligent updaters do not contain these files and cannot update the SYMVTCER.DAT files.

To work around this issue there are 4 solutions:
1- Run liveupdate to the public Liveupdate servers
2- Run liveupdate to a internally hosted Liveupdate Administrator that is itself running liveupdate to the public internet Liveupdate servers.  
3- Connect to a Symantec Endpoint Protection Manager that is updating directly from the public internet or a Liveupdate Administrator that is updating directly from the internet.
4- Uninstall the out of date client and reboot then install the new version.

NOTE: In one case, the SEP Client was corrupted, preventing the SEPM upgrade to continue. We resolved the issue by using CleanWipe to strip off the SEP Client. After that, the install proceeded without issue.

The SEP client has functionality to prevent tampered Symantec Endpoint Protection Manager and or Symantec Endpoint Protection Client software from installing with improper certificates or forged certificates.  This lookup occurs as a external task to the actual install of the SEPM or SEP client and will in failed results trigger EventID-41 and EventID-11 errors even when connecting to a internal PKI or WSUS server with up to date CRL information. 

The failing point in this very specific issue is the SYMVTCER.DAT files hosted by the SEP client in the definitions folders.

These files reside under the EFAVTDEFS folder in the “c:\Programdata\Symantec\Symantec Endpoint Protection\currerntversion\data\defintions”.  These files contain CERT data for previous versions of Symantec and Broadcom Code signing CERTs used by SEP and the SEPM during installation. 

When the SEP client attempts to run it’s own CRL request using these out of date files to look up the code signing details of new Symantec Products the SEP client will throw an EventID-41 or EventID-11 return code to the MSI installer as it uses Windows PKI and crypto functions to make the validation attempt. This return code halts the install as the machine is offline or in a secure lan segment where SEP and Windows cannot perform any additional CRL lookups.