This is just a short article – lost a day investigating this so I wanted to get something up for any one else who run into this. The background was a clean installation on a Windows 2016 server running Exchange 2016. No errors or issues reported during that install. The installer was downloaded as normal via Mysophos and started running before stopping with a message “Unable to install Sophos Credential Store Service”.
Exploring the logs gives a section
Sophos Credential Store — Error 1920. Service ‘Sophos Credential Store’ (Sophos.Credential.Store.Service) failed to start. Verify that you have sufficient privileges
to start system services.
After extensive testing and researching the issue was narrowed down to Logon as a service permissions that were being applied. The workaround was to note the users with logon as service permissions in this case in the Default Domain group policy – then temporarily stop it applying that by clicking off the Define these policy settings tickbox.
DO NOT DO THIS IF YOU ARE NOT CLEAR ABOUT THE IMPLICATIONS OF THIS NOT APPLYING !!
However we did on one of the domains DCs and then used gpupdate /force on the exchange server before running the installer to success this time. Then the change was reversed with the users on the list plus the NT SERVICE\ALL SERVICES user.
I will update this with further details once Sophos has been able to establish if the step we had to take is necessary and what the underlying issue is!! I would advise reporting this issue to Sophos support to work it through with them in any case