To comply with Microsoft's Azure Code Signing Program, Sophos must now sign user mode Portable Executables (PE) files using new Azure Code Signed (ACS) digital code signing certificates.   

Operating System support for Azure Code Signing was first made available in September 2021 and will require that operating systems have been updated with the appropriate Windows Updates.  Full details on required updates can be found in Microsoft’s official KB5022661 on this topic. 

In addition to having the required Windows patches, to correctly verify modules signed by Azure Code Signing, devices must have the "Microsoft Identity Verification Root Certificate Authority 2020" certificate authority (CA) installed.

Customers will first start noticing this starting from this week if performing new installations to older versions of Windows Operating Systems that aren’t patched to support ACS. Details on the install error you will see, the impacted Windows OS versions, and steps to resolve can be found in KB-000045019.  

This will also impact existing installed devices as Sophos starts rolling out the 2023.1 version of the Sophos Central Endpoint/Server from the start of June.  On devices that do not support ACS, some components will fail to install, and an alert will be raised in Sophos Central detailing that a device does not support ACS and referring to our KB on the topic. The KBA above also provides details on the behaviour that will be seen on an existing install.