During a fresh install or a upgrade from a previous version of Symantec Endpoint Protection client,  you receive a error dialogue and a rollback on the install. 

When you check the SEP_INST.LOG you see this error : Error 2835: The control ErrorIcon was not found on dialog ErrorDialog

This error is most likely a symptom of a lower level error with windows CAPI2.



To confirm this first enable CAPI2 logging as windows has this disabled by default. https://knowledge.broadcom.com/external/article/234861/how-to-enable-windows-capi2-logging.html

Once CAPI2 logging is enabled re-run the install or upgrade attempt.  When it fails check the CAPI2 event log for error CAPI2 error 11 or CAPI2 error 41.

If you see either error CAPI2 11 and or CAPI2 error 41 your Windows operating system is unable to look up a current Certificate Revocation List or CRL.   

Normally Windows updates the CRL from Windows Update public update servers,  or from the internal WSUS servers your organization may be using.   In this instance the OS is unable to make a lookup request locally or to the Microsoft cloud and therefore fails to trust the Certificates used by Symantec Endpoint Protection and halts the install.

To resolve this consult with your network OPS and or AD and PKI infrastructure teams to resolve by allowing the failing device to update to a current CRL or lookup a local CRL host,  or allow the failing device to perform lookups outside your organization. 

Due to security changes to MSI and Windows PKI there cannot be any work around.  The device must be allowed to make a CRL lookup or have a local or local-lan CRL copy to reference.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/event-id-4107-or-event-id-11-is-logged