When attempting to deploy the Sophos Endpoint software an error may occur as follows on endpoint desktop:
The system administrator has set policies to prevent this installation
First seen in
Sophos Anti-Virus for Windows 2000+ 9.7.6
Sophos Anti-Virus for Windows 2000+ 9.5.5
This is not a Sophos specific issue. The domain administrator has set policies that have locked down some group policies with the windows installer.
Computer configuration | Administrative Template | Windows Components | Windows Installer | Disable browse dialog box for new source=enabled
If you need to check if this policy is in effect on the current endpoint, you can use the built in utility "rsop.msc" which can be launched from the Start | Run | Type:
rsop.msc | Press return. You will not be able to make changes in "rsop.msc".
What to do
Change the policies which can be found in the group policy editor to "disabled" or "not configured". This can be found in:
Computer configuration | Administrative Template | Windows Components | Windows Installer | Disable browse dialog box for new source=disabled
To confirm the issue check the autoupdate install log which will show the following text (significant areas are in bold):
MSI (c) (20:54) [11:35:19:273]: Adding new sources is not allowed.
This installation is forbidden by system policy. Contact your system administrator.
C:\Program Files\Sophos\AutoUpdate\Cache\sau\sophos autoupdate.msi
MSI (c) (20:54) [11:35:19:273]: MainEngineThread is returning 1625