Steps to have App Control agent(s) ignore CERT_TRUST_IS_PARTIAL_CHAIN errors on the Counter Signature Chain, and rely solely on the Certificate Chain used by the Publisher for the Code Signing Chain.

Publisher[Microsoft (IneligibleForApproval: CounterChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_IS_OFFLINE_REVOCATION...

• App Control Server: All Supported Versions
• App Control Agent: All Supported Versions

1. Login to the Console and navigate to: https://YourServerAddress/agent_config.php
2. Choose: Show Filters > Add Filter > Value > contains: ignore_partial_chain_on_countersignatures
3. Click the pencil icon on the resulting Agent Config and change the Value to: ignore_partial_chain_on_countersignatures=1
4. Click Save
5. Allow the agents some time to receive the updated CL Version and to run a CC check to approve the files that were previously signed by trusted publisher, but their approvals failed due to countersignature error

• Additional information on this subject can be found here:
  • Files by Approved By Publisher Being Blocked - IneligibleForAppoval: ChainIdx[X] CounterChainIdx[X] CertId[XX]
• Although this setting is not recommend, it's been created to help facilitate Publisher Approvals in environments where the Counter Certificate Chain is incomplete and can not easily be fixed.
• In order to maintain the highest security posture, Carbon Black strongly recommends pushing out the missing certificates in the chain.
• This Agent Config was made available with the release of Server & Agent version 8.1.4.