Deploying the DNS Protection root certificate with Microsoft products sometimes requires you to provide a copy of the certificate in DER format (a .cer file). Windows tends to use this format by default.
When you download the certificate from the DNS Protection Installers page in Sophos Central, the file you get is encoded in the PEM format which is widely used on Mac and other unix-like systems.
You can easily convert the downloaded PEM file to DER format in a Windows .cer file with the certutil command on Windows:
C:\Users\user\Downloads>certutil -decode certificate.pem certificate.cer
If you have access to a Mac, Linux or other similar system that uses openssl, you can use this openssl command:
$ openssl x509 -in certificate.pem -out certificate.cer -outform DER
Once you run this command, you should find a new file certificate.cer which contains the certificate in the DER format preferred by Windows.