Sophos Network Threat Protection: Installation fails with Error 0x80070005 - Failed to add certificate to certificate store: Access is denied.

  • Article ID: 134874
  • Updated: 14 Nov 2019
  • 0 people found this helpful
  • Available in: English | Español | Italiano | 日本語 | Français | Deutsch

Overview

Due to a Group Policy setting to restrict access to the Trusted Publishers certificate store to allow only enterprise administrators to manage Trusted Publishers, the Sophos Network Threat Protection installation or update could fail.

The particular Group Policy setting can be found under "\Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings". The "Trusted Publishers" tab allows you to set the "Trusted Publisher" to be one of three values:

  • Allow all administrators and users to manage user's own Trusted Publishers
  • Allow only all administrators to manage Trusted Publishers
  • Allow only enterprise administrators to manage Trusted Publishers.

When set to 'Allow only enterprise administrators to manage Trusted Publishers', the installation / update of Sophos Network Threat Protection could fail and the following error can be seen in the file Sophos Network Threat Protection Install Log that is located in C:\Windows\Temp:

AddTrustedPublisher: Catalog file path: C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNTPLWF\SophosNTPLWF.cat
AddTrustedPublisher: Error 0x80070005: Failed to add certificate to certificate store: Access is denied.
CustomAction AddTrustedPublisher returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 14:37:40: InstallFinalize. Return value 3.

To allow the installation / update of the Sophos Network Threat Protection to complete, change the Trusted Publishers setting to also allow non enterprise administrators to manage Trusted Publishers.

The following sections are covered:

Applies to the following Sophos products and versions
Central Windows Endpoint 10.8.3

What to do

To allow the installation / update of Sophos Network Threat Protection to complete, change the Group Policy "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings" to either "Allow all administrators and users to manage user's own Trusted Publishers" or "Allow only all administrators to manage Trusted Publishers".

  1. Open the Group Policy Settings editor  (Start > Run > gpedit.msc)
  2. Navigate to the 'Certificate Path Validation Settings' (Computer Configuration\Windows Settings\Security Settings\Public Key Policies\) 
  3. Switch to the 'Trusted Publishers' tab
  4. Change the 'Trusted Publisher management' to either "Allow all administrators and users to manage user's own Trusted Publishers" or "Allow only all administrators to manage Trusted Publishers".
  5. Click 'OK' to save your changes.

The installation / update of Sophos Network Threat Protection should now complete.

Related information

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Article appears in the following topics

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

Sophos Footer