Symantec Endpoint Protection Manager (SEPM) encounters an error during the installation and rolls back.  Upon reviewing the SEPM_Inst.log file the following error is observed:
"CustomAction GPOPolicyReview returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)".

 

The issue can have a couple different causes:

1. TMP and TEMP variables do not have the same path.
2. Restrictive permissions are prohibiting the installation.
   • An explicit deny will take precedent over an implicit allow.  Because of this, when a user is a member of multiple account groups, they can encounter permission issues (even if they are a member of the Administrators group).
3. The installation runs "gpresult /scope COMPUTER /f /X gpresult.xml" during the installation to determine the currently assigned group policies.  If this command takes longer than 5 minutes to run, the installation will fail. 

1. Check Temp variables and verify that TMP and TEMP have the same path.
   • Example:  C:\Windows\TEMP
2. If restrictive permissions or GPO complexity issues cannot be identified, create a new local administrator account that is only a member of the local Administrators group.
   • Log in with the new Administrator account and attempt install again.