Newish install here, I have a number of sites on and off the corporate network working properly with upgrading/deploying blades/clients to.

When I try to upgrade or deploy blades in my china office I get a package validation error. When check the support sk's I show the error should be the CA isn't trusted for signing. However it is trusted. 

I created a simple test where I setup a new VM win10 machine and installed the full client eps.msi maually, it works fine. But if I try to push a new blade/version/etc then it fails. 

I took the same VM and moved it back to a site in the US for testing and once it boots up and contacts the server it runs the installer just fine. 

My guessing is CN playing games with the download of the installers maybe? I don't see anything in the logs, the endpoint can update malware defs, contact (internal) policy server/etc.

The site is over a fairly open ipsec link, and I have checked to see if anything is being dropped but not seeing anything.

Any ideas? I looked for logs via sk100891 but didn't find any of them.  Wanted to see if anyone had seen this before I have to open up a case. 

Thanks!