Symantec Endpoint Protection (SEP) client installation fails with a 1603 error.  When reviewing the SIS_INST.log it shows the following error:

ERROR I SIS      File C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.8268.5000.105\bin64\ELAMInst.exe is not trusted. Verification result: 20

Root Certificates are missing.

This issue is fixed in Symantec Endpoint Protection (SEP) 14.3 RU6. For information on how to obtain the latest build of SEP, see Download Symantec software, tools, and patches.

Workaround

To resolve this issue update the Root Certificates by running Windows Update.  If the system is air-gapped and does not have access to the internet follow these steps:

On a system with internet access:

1. Open a command prompt as Administrator
2. Navigate to a folder you will be able to find the Rootstore.sst after download
3. Enter the command: CertUtil –generateSSTFromWU Rootstore.sst
4. Current root certificates updates will download from Windows Update and write to the file "Rootstore.sst"
5. Copy the .sst file from the path in Step 2 to the machine(s) which does not have internet access

On the air-gapped system without internet access:

1. Click Start>Run. Alternatively, click the windows keyboard button + R
2. Type: certmgr.msc - this opens the certificate manager
3. Right-click on the item "Trusted Root Certification Authorities
4. Select All Tasks>Import
5. Click Next
6. Click "Browse", and change the file type in the lower right selection drop-down to "All Files"
7. Navigate to the location .sst file obtained from the previous set of steps and select the file
8. Click Next
9. Specify the radio item "Place all certificates in the following store. "Trusted Root Certification Authorities" should be specified
10. Click Next, Click Finish
11. Repeat steps 1-10 except specify the "Trusted Publishers" container for Steps 3 and 9