Sophos Endpoint Security and Control 10.8.9 fails to install/upgrade on unpatched Windows 7/2008 R2 operating systems
As of Sophos Endpoint Security and Control version 10.8.9 (release commencing July 07th 2020 to the Preview subscription) all files and drivers are signed with only SHA256 (previously they were SHA1 and SHA256 signed). This is a Microsoft driven change. In March 2019, Microsoft released an update to Windows 7 and Windows 2008 R2 to support SHA256 only driver signing. This Microsoft update is required in order to install and run Sophos Endpoint Security and Control.
Note: Affected computers will have all scanning functionality disabled until the required patches are installed.
Please see below Microsoft article regarding this issue:
Note: This affects Windows 7 and Windows 2008 R2 operating systems. Operating system that are fully up to date with Windows Updates will not be impacted.
For any operating system that does not have the Microsoft updates the following will be seen:
- New installations and upgrades will fail and the following errors are reported to Enterprise Console following the installation/upgrade attempt:
- Locally on the computer, the following will appear during installation/upgrade:
- The following message will alert to the Sophos On-Access scanning being disabled:
- Opening Applications and performing certain actions on the computer will trigger the following example error:
- Sophos Endpoint Defense will fail to install/upgrade. The
Sophos Endpoint Defense Setup *.logwill contain the following entries:
WARNING: Failed to install Sophos Endpoint Defense - Microsoft KB4474419 or higher required on Windows 7 and Server 2008R2
ERROR: SetupPlugin install error: Failed to install Sophos Endpoint Defense - Microsoft KB4474419 or higher required on Windows 7 and Server 2008R2.
Note: For upgrades the previous version of Sophos Endpoint Defense will be used until the Microsoft updates are applied.
The following sections are covered:
Applies to the following Sophos products and versions
Sophos Endpoint Security and Control 10.8.9
What to do
To allow an installation or upgrade of Sophos Endpoint Protection and Control you must perform Windows Updates to get the latest updates. Alternately, install Windows KBs 4474419 and 4490628.