Endpoint certificates are outdated in Nebula

If you cannot find an endpoint in Nebula, it may be due to endpoints having outdated certificates.

Symptoms

• Endpoint is not showing up in Nebula. 

To verify it's an outdated certificate issue, locate %ProgramData%\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt and search for the following error:

• System.Security.SecurityException: Issue with Authenticode signature Error:2148098053

Environments

• Nebula
• Windows endpoints

Cause

Windows endpoints running the endpoint agent require certificates to connect with Nebula. 

Resolution

Option 1 - Install latest Windows Updates (preferred)

In general, to solve this issue, install the latest Windows Updates. Once the computer is up to date, install the endpoint agent software and check Nebula to verify it's connected.

Option 2 - Manual certificate installation

If Windows Updates does not install the certificates or you have disabled automatic update of Certificate Trust Lists (CTLs), you must install the certificates manually under an Administrator account.

1. On the affected endpoint, go to the following repositories and download the corresponding certificates:
   

   Repository	Certificates
   Microsoft	Microsoft Identification Verification Root Certificate Authority 2020
   Digicert	DigiCert Assured ID Root CA DigiCert Global Root CA DigiCert High Assurance EV Root CA DigiCert Trusted Root G4
   Starfield Technologies	Starfield Class 2 Certification Authority Root Certificate - G2
   Sectigo/COMODO	AAA Certificate Services

2. Import security certificates to the Trusted Root Certification Authorities store.
   • Refer to the instructions in Microsoft's article Manage Trusted Root Certificates.
3. For the Verisign Universal Root Certification Authority certificate, export one from an endpoint with a working certificate.
4. Deploy the Malwarebytes Endpoint Agent. If already installed, open an elevated command line prompt and run the following command:

   "C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe" -restart

5. Verify the endpoint is showing in the console. 

Option 3 - CertUtil.exe

Use CertUtil.exe to manually obtain trusted root certificates and CTLs from Windows Update. For more information, see Configure Trusted Roots and Disallowed Certificates.