Windows cannot start driver | Signtool does not work without /pa or /kp switches

I am trying to install and use scanner on win7. The driver installs properly, but cannot start. It shows "This device cannot start" Code 10 error in Device Manager. I tried to test it with Signtool, but I am getting "SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." SignTool Error: File not valid: MS7000MKII.inf when i run the below command

Command C:\Program Files (x86)\Windows Kits\8.1\bin\x86>signTool verify /c MS7000MKII.cat MS7000MKII.inf

But when i try signTool verify /c /kp MS7000MKII.cat MS7000MKII.inf OR signTool verify /c /pa MS7000MKII.cat MS7000MKII.inf

It works fine! But this does not help my case because WIN7 will not install the driver!!

Output : 0 sha1 Authenticode Successfully verified: MS7000MKII.inf

I found information saying that "in order for your file to "verify" properly one needs to include the /pa switch, so that SignTool uses the Default Authentication Verification Policy." which is fine, but windows 7 will not allow my driver to start after it installs because windows uses Windows Driver Verification Policy. I see the same error in my setupapi.dev.log in the inf folder when the driver is starting.

Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 15:15:39.630 sig: {_VERIFY_FILE_SIGNATURE} 15:15:39.630 sig: Key = ms7000mkii.inf

... !!! dvi: Device not started: Device has problem: 0x0a: CM_PROB_FAILED_START.!

Is my cert chain correct? CERT

I have tried going through unsigned driver mode. I have also tried other WIN7 machines. same outcome. Same error. What do i need to do differently to allow the driver to install in Windows 7.

McaFee DLP was blocking the driver