The installation of the Symantec Endpoint Protection (SEP) client fails with a certificate error. Additionally, if you try to use Cleanwipe tool to remove the installation, it also fails.

• The client installation may fail and roll back to the earlier state. You may see the following message in SEP_INST.log:
  
  ScriptGen: ShowServiceProgress() Look for timeout starting SepMasterService or other failure loading SIS.dll.
  
  Additionally, SIS_INST.log may have a message like the following:
  
  File C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.8268.5000.105\bin64\EFAInst64.exe is not trusted. Verification result: 20

• If you use Cleanwipe, you may see the following:
  
  Failed to initialize SEPRemovalToolNative. WaitForSingleObject returned 258. Last error: 0. Check C:\WINDOWS\Temp\CleanWipe_timestamp\SepRemovalToolNative_x86.log file.

• When in the MMC snap you may also see the following:
  
  An expired Symantec Root CA, and unexpired Symantec205ca in the "Untrusted certificates" folder
  When you double click on the Symantec205ca an error stating the following: "This certificate has been revoked by its certification authority"
   
• You may see the following error in the SEP_INST.log, and the SEP 14.3 installation may roll-back to a previous state or fail to roll-back entirely.
  
  "Could not open registry key SYSTEM\CurrentControlSet\Services\SepMasterServiceMig for flushing. Error: 2"

The computer has not updated the appropriate root certificates and therefore cannot validate the Symantec Endpoint Protection binaries. For example, this issue can occur:

• If certificates are removed or blocked by the System Administrator
• Windows Server base image does not include current valid root certificates
• Computers are on a protected network that does not have access to run Windows Update

To fix this issue, update the root certificates on the computer. If the computer has internet access, launch Windows Update. The download and installation of the updated root certificates occurs automatically in the background. You do not need to take additional action.

If the computer does not have internet access, use the process below to download then install the necessary files. Multiple certificates are required to properly validate the Symantec Endpoint Protection binaries.

Note: If the required certificates are missing, Symantec Endpoint Protection installs the certificates during installation instead of prompting you to install them. Due to certificate updates the issue may persist in 14.3 RU4 or 14.3 RU5. 14.3 RU5 P1, and 14.3 RU6 correct this issue.

The Windows interface for adding certificates may look slightly different depending on your version of Windows. Symantec Technical Support does not officially support this process; these instructions are provided for your convenience.

Process to update the necessary root certificates manually:

I. Download the necessary certificates.
II. Add the Certificate snap-in, if needed.
III. Install the Symantec Class 3 Public Primary Certification Authority - G5 certificate.
IV. Install the Symantec Class 3 Code Signing 2010 CA certificate.
V. Install the DigiCert Trusted Root G4 certificate 

I. To download the necessary root certificates:

1. Download Required_6_Certificates_For_Installation.zip at the bottom of this article.
2. Extract all files from the Required_6_Certificates_For_Installation.zip file into an empty folder.  
3. Download the intermediate code signing certificate 1663866295216__VeriSign Class 3 Code Signing 2010 CA.cer at the bottom of this article.
4. Download the Digicert Trusted Root G4 certificate from https://cacerts.digicert.com/DigiCertTrustedRootG4.crt.
   More information about the DigiCert roots is available here: DigiCert Root Certificates - Download & Test | DigiCert.com
5. Using an internal network connection, or physical media such as a thumb drive, bring these files to the computer on which you need to update the root certificates.
    

II. To add the Certificate snap-in:

1. Click Start > Run and then enter MMC.
   The Microsoft Windows Management Console opens.  
2. Under Console Root, check for Certificates (Local Computer).
   Note: If this snap-in is already present, skip to III. 
3. Click File > Add/Remove Snap-in. Under Available snap-ins, click Certificates, and then click Add.
4. In the Certificates snap-in dialogue, click Computer account, and then click Next.
5. Ensure that Local computer is selected, and then click Finish.
    

III. To install the Symantec Class 3 Public Primary Certification Authority - G5 certificate:

1. While in the Microsoft Windows Management Console, click to expand Certificates (Local Computer), and then expand Trusted Root Certification Authorities.
2. Right-click Certificates, and then click All Tasks > Import.
3. In the Certificate Import Wizard dialogue, click Next.
4. Click Browse to navigate to VeriSign Class 3 Public Primary Certification Authority – G5.cer. Double-click this file, and then click Next.
   You can find this certificate in the extracted Required_6_Certificates_For_Installation.zip file in the folder RequiredCertificates.
5. For Certificate Store, ensure you place the certificate into Trusted Root Certification Authorities, and then click Next.
6. Review the settings, and then click Finish.

The Certificate Import Wizard should report success.
 

IV. To install the Symantec Class 3 Code Signing 2010 CA certificate:

1. While in the Microsoft Windows Management Console, click to expand Intermediate Certification Authorities.
2. Right-click Certificates, and then click All Tasks > Import.
3. Click Browse to navigate to VeriSign_Class_3_Code_Signing_2010_CA.cer. Double-click this file, and then click Next.
4. For Certificate Store, ensure you are placing the certificate into Intermediate Certification Authorities, and then click Next.
5. Review the settings, and then click Finish.

The Certificate Import Wizard should report success

         V. To Install the DigiCert Trusted Root G4 certificate using the following steps:

1. Double-click on the file and click on the Open button
2. Click on the Install Certificate button
3. Set the Store Location to Local Machine
4. Click the Next button
5. Select Place all certificates in the following store.
6. Click on the Browse button and select the entry: Trusted Root Certification Authorities
7. Click on the Next and then the Finish button

                 The Certificate Import Wizard should report success.

It may also be necessary to delete one or more Symantec/Verisign certificates in the "Untrusted Certificates" folder that display the following error upon review of the actual root certificate "This certificate has been revoked by its certification authority" before following the steps above. When you discover that one of the certificates shows up as 'revoked' even though Symantec/Versign did not revoke the certificates, it typically means that the certificate was either moved or copied to the "Untrusted Certificates" store on the local machine.

14.3 RU8 requires Microsoft Azure Code Signing (ACS) support. To correctly verify modules signed by Azure Code Signing, computers are required to have the "Microsoft Identity Verification Root Certificate Authority 2020" certificate authority (CA) installed.