Advisory: Sophos Central Windows Endpoints/Servers

Issue

The Sophos installation fails and references the following two components:

• SME64
• EFW64

When running interactively, the following warning will be displayed:



If running the installation as part of a task sequence, such as SCCM, the task sequence execution engine will report a failure to install.

Product and Environment

• Sophos Central Windows Endpoint Core Agent 2022.4.0.4
• Sophos Central Windows Server Core Agent 2022.4.0.6

Cause

The issue is caused when there is a requirement to download the following DigiCert Trusted Root G4 certificate to the Certificate Store on the device. If there is a delay in obtaining the certificate, the installation of these components will fail.

Resolution

While the initial install will fail, providing the above root certificate subsequently is obtained, the two failing components will attempt to automatically re-install.

To prevent the install failures from occurring (such as in a task sequence for SCCM), the certificate can be installed as part of the sequence, prior to installing Sophos. An example method to do this would be to use the CertUtil utility, e.g.:

From the command prompt run the following three commands:

mkdir C:\tempcerts
CertUtil -syncWithWU C:\tempcerts
certutil -addstore root C:\tempcerts\ddfb16cd4931c973a2037d3fc83a4d7d775d05e4.crt

Or the certificate can be downloaded and distributed to devices from https://www.digicert.com/kb/digicert-root-certificates.htm .

To determine if the certificate is present in the store, the following PowerShell/Terminal command can be used:

Get-ChildItem -path cert:\localmachine\root\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4

Note: Customers who have turned off Automatic Root Certificate Updating and do not have an alternate method to distribute certificates can also trigger this issue.

This can be confirmed either in Group Policy by running through the following steps:

1. Click Start > Run (or Windows key + R).
2. Enter gpedit.msc and then click OK.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Go to Administrative Templates > System > Internet Communication Management > Internet Communication settings.
5. Check what is set in Turn off Automatic Root Certificates Update.

If there are no GPO/local settings, then verify if the following registry value is configured as below:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\AuthRoot
Value Name=DisableRootAutoUpdate Type=REG_DWORD Value Data=00000001

To allow the installation, you will need to set DisableRootAutoUpdate to 0 or manually install them to the device.

In addition, if you have Group Policies that only allow certificates registered in Active Directory to be authenticated, this could also affect the installation.