Can't install our app - "certificate in chain-of-trust is failing validation"

Occasional Contributor

We've had a number of support incidents from users with Windows 11 Insider Preview reporting that they can't install our Windows Desktop app. Users with the retail release of Windows 11 (or Windows 10) do not experience this issue.
Our (WiX) installer runs successfully until it gets to the driver installation step. Then it rewinds and quietly exits with no message popup or obvious error.
Despite testing with a variety of different Insider Preview builds, we've so far been unable to reproduce the problem locally. Looking at a verbose setup log contributed by a user, I noticed the following:

DIFXAPP: INFO:   ENTER:  DriverPackageInstallW
DIFXAPP: INFO:   RETURN: DriverPackageInstallW  (0xE0000247)
DIFXAPP: ERROR: encountered while installing driver package 'C:\Program Files\AcmeWidgets\WidgetApp\widget-driver.inf'
DIFXAPP: ERROR: InstallDriverPackages failed with error 0xE0000247
DIFXAPP: RETURN: InstallDriverPackages() 3758096967 (0xE0000247)
CustomAction MsiInstallDrivers returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 21:00:47: InstallFinalize. Return value 3.
MSI (s) (50:CC) [...]: Note: 1: 2265 2:  3: -2147287035 

Our driver is signed with a Digicert EV Code Signing Certificate:


                                                         Certificate   Certificate   Order
Common name     Product           Status   Order date    start date    expiration    expiration
-------------   ---------------   ------   -----------   -----------   -----------   -----------
Immersed Inc.   EV Code Signing   Issued   27 May 2020   28 May 2020   02 Jun 2022   02 Jun 2022
                2 years


While investigating, I also saw a message/description that mentioned a certificate in the chain-of-trust failing validation. I thought perhaps an intermediate CA cert might have been omitted from one of the Insider Preview builds, so I requested dumps of root, intermediate and third-party certs from a few affected users. My hope was to find a cert included in my test environment that was missing in all of theirs. No such luck, unfortunately; they all seem to have supersets of the certs I have in a fresh Insider Preview test installation.

Can someone please respond with a suggestion on a path forward?


Being unable to reproduce this in a test environment has me completely blocked. I'd really like to hear back from a Microsoft engineer on this.



0 Replies