This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninstallation is not possible because a policy does not allow it. Error 25200

Hi:

I'm hoping someone here can help me with this. I've tried submitting a ticket to support but I got one response that didn't make sense a week ago and nothing else since then.

 

I've created a policy that allows decryption and uninstallation, exported it to MSI, and installed it on the client. It allows me to decrypt the client, but it will not let me uninstall or modify the installation. I can't figure out why. So far I've tried:

  1. Installing the policy, then attempting to uninstall the client
  2. Installing the policy, rebooting, then attempting to uninstall the client.
  3. Turning off Tamper protection in Sophos Endpoint Protection (also installed on the client), then installing the policy and attempting to uninstall the SafeGuard client.
  4. Turning off Tamper Protection, and following these instructions to uninstall BOTH SEP and SafeGuard: https://community.sophos.com/kb/en-us/12360

 

Below are screenshots of the relevant parts of my configuration, as well as the error I get every time I attempt to uninstall SafeGuard.



This thread was automatically locked due to age.
Parents Reply Children
  • So apply the policy to the TOP level of the domain. Before you click SAVE modify who it's assigned to in the bottom half of the window. Here you can see my policy applies to the WHOLE domain but ONLY if you're a member of my decryption group. Automatically it'll assign to all computers/users so drag those out and drag in your decrypt (and uninstall in your case) group.

    Hope this helps - Sorry about the hurried reply, meant to be socialising with friends that have come to visit!

     

  • This worked! In addition to what you recommended, Michael, I also turned off No Override on the encryption policy and turned it on for the decryption/uninstall policy, but only for the specified group. So now I can add the machine name and user to the group, synchronize the client, and decrypt and uninstall the client!

     

    I'm going to set up my test machine again because I still want to see if I can get the MSI approach to work as well. Many of our users that have SafeGuard installed are remote, so it would be easier to just run an MSI on their machines and uninstall then try to get them to synchronize with the server.

     

    Thanks so much for all your assistance! One of my colleagues who is currently on a 3 week vacation claimed he got this working before he left, but I really don't see how that is possible given that the encryption/no uninstall policy was set to no override. I'll have to talk to him next week, especially since I screwed with his console config to get this to work.

     

    I'll update with the results of my MSI test.

  • Great news!

    You're very welcome David, really pleased you've got it sorted.

    Yes the MSI version should work and I imagine it will now work as you've removed the policy that was inherited by everything.

    I think the way we've both done it is better and gives much better control over everything!

    Keep us updated!

    All the best