Skip to main content

Windows endpoint certificates are outdated in Nebula

Updated: 

If you cannot find an endpoint in Nebula, it may be due to endpoints having outdated certificates.

Symptoms

  • Endpoint is not showing up in Nebula. 

To verify it's an outdated certificate issue, locate %ProgramData%\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt and search for the following error:

  • System.Security.SecurityException: Issue with Authenticode signature Error:2148098053

Environments

  • Nebula
  • Windows endpoints

Cause

Windows endpoints running the endpoint agent require certificates to connect with Nebula. 

Resolution

Option 1 - Install latest Windows Updates (preferred)

In general, to solve this issue, install the latest Windows Updates. Once the computer is up to date, install the endpoint agent software and check Nebula to verify it's connected.

Option 2 - Manual certificate installation

If Windows Updates does not install the certificates or you have disabled automatic update of Certificate Trust Lists (CTLs), you must install the certificates manually under an Administrator account.

  1. On the affected endpoint, go to the following repositories and download the corresponding certificates:
    Repository Certificates
    Microsoft
    • Microsoft Identification Verification Root Certificate Authority 2020
    Digicert
    • DigiCert Assured ID Root CA
    • DigiCert Global Root CA
    • DigiCert High Assurance EV Root CA
    • DigiCert Trusted Root G4
    Starfield Technologies
    • Starfield Class 2 Certification Authority Root Certificate - G2
    Sectigo/COMODO
    • AAA Certificate Services
  2. Import security certificates to the Trusted Root Certification Authorities store.
  3. For the Verisign Universal Root Certification Authority certificate, export one from an endpoint with a working certificate.
  4. Deploy the Endpoint Agent. If already installed, open an elevated command line prompt and run the following command: 
    "C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe" -restart
  5. Verify the endpoint is showing in the console. 

Option 3 - CertUtil.exe

Use CertUtil.exe to manually obtain trusted root certificates and CTLs from Windows Update. For more information, see Configure Trusted Roots and Disallowed Certificates.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more