When multiple successive versions of SEP have been installed or upgraded on a computer the catroot database used by Windows' CryptSvc may exhibit signs of corruption.
CIDS driver installs its catalog file to unique GUIDs for each version, and cleanup of the prior catalog may occasionally fail. Windows eventually reaches a subsystem limit and the catroot database will generate error codes like -1601, -1811, and -1805.
Upgrading the SEP client to 14.3 RU4 will attempt to clean the stale catalog files. If installation fails, a reboot may be necessary to allow the cleanup to complete before attempting the install again.
A permanent fix is being developed for release in a future version. This document will be updated upon its release.