Install the missing UTN-USERFirst-Object, Verisign Universal Root Certification Authority, and Verisign Class 3 Public Primary Certification Authority - G5 certificates in the physical Third-Party Trusted Root Certification Authorities store.

Install the missing COMODO RSA Code Signing CA and Verisign Class 3 Code Signing 2010 CA certificates in the physical Intermediate Certification Authorities store.

After installing the certificates, the product installs or upgrades successfully.

McAfee recommends that you install the certificates using Active Directory group policy for wide deployment. For information about how to deploy registry changes using group policy, see the Microsoft article at: https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx.

Deploy the registry change for the Computer policy, not the User policy. Instead of using a Certificate group policy object, use a Registry group policy to make the change directly to endpoint registries, which puts the certificate in the correct store. (Using a Certificate group policy puts the certificate in the wrong certificate store.)

Or, use one of the following methods to install the certificate directly on the system, or remotely using any appropriate administrative deployment method:

• To install the Verisign Class 3 Public Primary Certification Authority - G5, UTN-USERFirst-Object, Verisign Universal Root Certification Authority, COMODO RSA Code Signing CA, and Verisign Class 3 Code Signing 2010 CA certificates:
   
  • Download the file USERFirst_and_VeriSign_and_Comodo.bat.txt in the Attachment section of this article. Rename the file to USERFirst_and_VeriSign.bat and run it.
     
  • Download the file USERFirst_and_VeriSign_and_Comodo.reg.txt in the Attachment section of this article. Rename the file to USERFirst_and_VeriSign.reg and import it.

Or, if you have a single system or only a few systems, to install only the Verisign Class 3 Public Primary Certification Authority - G5 certificate to remediate manually:

Address the issue preventing the automatic update of root certificates on the system.

Microsoft allows the administration of root certificate stores though many group policy objects and automatic updates. For more information, see https://technet.microsoft.com/en-us/library/cc749331(v=ws.10).aspx. The administration of certificate stores is not within the scope of Technical Support.

Use the following solution only if the group policy in effect is preventing the root certificate update:

CAUTION: This article contains information about opening or modifying the registry.

• The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
• Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see the Microsoft Windows registry information for advanced users article.
• Do not run a REG file that is not confirmed to be a genuine registry import file.

1. Change the registry value for HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate from 1 to 0:
   
   NOTE: If you are making this change using group policy for wide deployment, the Group Policy Object (GPO) for this setting is at: Computer Configuration, Administrative Templates, System, Internet Communication Management, Internet Communication settings, Turn off Automatic Root Certificates Update.
   Change Turn off Automatic Root Certificates Update from Enabled to Disabled.
    
   1. Press Windows+R, type regedit, and click OK.
   2. Navigate to: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
   3. Change the value from 1 to 0.
   4. Exit the registry editor.
    
2. If present, remove the registry key ProtectedRoots, which is at HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots:
   1. Press Windows+R, type regedit, and click OK.
   2. Navigate to: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root
   3. Right-click ProtectedRoots, select Export, and choose a location in which to save a backup copy.
   4. Right-click ProtectedRoots, select Delete, and click Yes when prompted.
   5. Exit the registry editor.