Due to a Group Policy setting to restrict access to the Trusted Publishers certificate store to allow only enterprise administrators to manage Trusted Publishers, the Sophos Network Threat Protection installation or update could fail.
The particular Group Policy setting can be found under "\Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings". The "Trusted Publishers" tab allows you to set the "Trusted Publisher" to be one of three values:
When set to 'Allow only enterprise administrators to manage Trusted Publishers', the installation / update of Sophos Network Threat Protection could fail and the following error can be seen in the file Sophos Network Threat Protection Install Log that is located in C:\Windows\Temp:
AddTrustedPublisher: Catalog file path: C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNTPLWF\SophosNTPLWF.cat AddTrustedPublisher: Error 0x80070005: Failed to add certificate to certificate store: Access is denied. CustomAction AddTrustedPublisher returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 14:37:40: InstallFinalize. Return value 3.
To allow the installation / update of the Sophos Network Threat Protection to complete, change the Trusted Publishers setting to also allow non enterprise administrators to manage Trusted Publishers.
The following sections are covered:
Applies to the following Sophos products and versions Central Windows Endpoint 10.8.3
To allow the installation / update of Sophos Network Threat Protection to complete, change the Group Policy "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings" to either "Allow all administrators and users to manage user's own Trusted Publishers" or "Allow only all administrators to manage Trusted Publishers".
The installation / update of Sophos Network Threat Protection should now complete.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.