3

The tool I use for updating all my apps on Windows 11 called wingetUI recently throws:

0x8a15005e : The server certificate did not match any of the expected values.

and it does not update the selected Apps as it is supposed to.

As it turns out my Kaspersky Protection is the source of this issue. I have to disable every single Kaspersky Protection feature so that WingetUI works properly. I have already tried to switch the enabled Kaspersky features and respectively restarting the PC, which changed nothing.

As one comment says, the issue with Kaspersky must be due to Kaspersky injecting its own certificate. This is probably because the winget enquiry is routed through a Kaspersky server on my own PC in order for the Kaspersky software to supervise it. In conclusion, wingetUI gets the server certificate of Kaspersky Protection which does not match the server certificate of the respective app and throws the error message.

Unfortunately, the issue also applies for Kaspersky Protection features that I really like to use and that actually do not supervise connections like winget e.g. Kaspersky secure payment. In conclusion, I have to wait for Kaspersky Protection to push the message 'Protection is offline' which indicates, that every single Kaspersky Protection feature is offline in order for wingetUI to work.

The issue appeared first when I enabled a few more Kaspersky Protection features than I did before. Since then, it seems like the issue appears even though I have just a single random Kaspersky Protection feature enabled, just like I described above.

Unfortunately, I don't remember which critical Kaspersky Protection features I enabled that caused the issue in the first place. However, the problem seems irreversible. So as long as Kaspersky Protection is enabled in any way, it seems to manipulate the expected server certificate.

There may be a slight chance, that the issue isn't actually due to the Kaspersky Protection features I enabled in addition to the already existing ones but to a Kaspersky Protection or WingetUI update falling on the same period. However, I find that very unlikely.

What I am trying next:

  • try if winget works fine in the shell while Kaspersky Protection is enabled, so it would be an issue exclusively for the wingetUI
  • try to enable all Kaspersky Protection features but to add wingetUI as an exception
Improve this question
6
  • 2
    Do you have Web Traffic Security enabled in Kaspersky? It can behave like a proxy that injects its certificate. If so, you might need to exclude wingetUI or whatever URL it's trying to connect to
    – Cpt.Whale
    Commented Nov 29, 2023 at 17:47
  • Have you tried to uninstall the certificates that Kaspersky installed? What you want is unrealistic. You cannot simultaneously break TLS connection but expect them to also work.
    – Ramhound
    Commented Dec 1, 2023 at 14:57
  • @Cpt.Whale Thank you very much for your quick answer. You were at least partly right. The issue is indeed due to Kaspersky protection I updated my request with the additional detail.
    – SrgtSugar
    Commented Dec 1, 2023 at 15:06
  • @VomitIT-ChunkyMessStyle Thank you very much for your answer. I checked and wingetUI is up to date. As it seems Kaspersky Protection is the issue. You can find further information in my request I just edited.
    – SrgtSugar
    Commented Dec 1, 2023 at 15:12
  • @Ramhound Thank you very much for your time and expertise. Would you kindly explain your proposal a little bit further? What for do I have to uninstall the certificate that Kaspersky installed? Does then Kaspersky even work properly? And what do you mean by I can not simultaneously break TLS connection but expect 'them' (I guess wingetUI) also to work? Do you mean when Kaspersky Protection 'breaks' the transport layer security connection between wingetUI and the update server of the respective app? Then how did it worked before I made those slight changes to my Kaspersky settings.
    – SrgtSugar
    Commented Dec 1, 2023 at 15:23

2 Answers 2

Reset to default
2

I found the issue. Easy way: In order for Kaspersky and wingetUI to work at the same time you have to go to (probably I translated not everything 100% like the Kaspersky UI) 'Kaspersky protection' -> 'network settings' and disable 'Always check encrypted connections' under the heading 'Supervision of encrypted connections'. You can switch it to "check encrypted connections on request from protection components' for example which is the default. You can run every other Kaspersky protection feature on the highest security standards but 'Always check encrypted connections' has to be disabled.

You can probably also try the way of @Cpt.Whale who suggests certificate pinning. The advantage of this is obviously that you can still always check encrypted connections with Kaspersky portection.

Improve this answer
1

I found winget recently introduced certificate pinning for the windows Store source, so it won't allow SSL inspection even if your computer trusts Kaspersky. You can disable this for winget with either of:

  • In a windows domain, use the ADMX template and apply this setting via group policy if you need this to be done on more than one machine.
  • If you just need this to work on your machine, use regedit to create a DWORD named EnableBypassCertificatePinningForMicrosoftStore with a value of 1 at the path HKLM:\Software\Policies\Microsoft\Windows\AppInstaller

Note that this information is only current as of the PR linked above and may change. Per #2879

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .