This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninstallation is not possible because a policy does not allow it. Error 25200

Hi:

I'm hoping someone here can help me with this. I've tried submitting a ticket to support but I got one response that didn't make sense a week ago and nothing else since then.

 

I've created a policy that allows decryption and uninstallation, exported it to MSI, and installed it on the client. It allows me to decrypt the client, but it will not let me uninstall or modify the installation. I can't figure out why. So far I've tried:

  1. Installing the policy, then attempting to uninstall the client
  2. Installing the policy, rebooting, then attempting to uninstall the client.
  3. Turning off Tamper protection in Sophos Endpoint Protection (also installed on the client), then installing the policy and attempting to uninstall the SafeGuard client.
  4. Turning off Tamper Protection, and following these instructions to uninstall BOTH SEP and SafeGuard: https://community.sophos.com/kb/en-us/12360

 

Below are screenshots of the relevant parts of my configuration, as well as the error I get every time I attempt to uninstall SafeGuard.



This thread was automatically locked due to age.
Parents
  • I had this issue recently.

     

    Off the top of my head....

     

    Have you uninstalled the configuration for the old policy? Make sure there is NO configuration listed in Add/Remove

    Rebooted

    On console I created two policies - Machine settings and Device Protection

    Modified both to include NO encryption and uninstall allowed

    On console I created a new group - added in my two new policies

    Created a new config package with the new policy group as base.

    Exported the new package.

    Copied package onto client

    Installed new package

    Rebooted.

    Logged back in and was able to decrypt and uninstall.

     

    If more info comes to me I'll post it but I "think" those were all the stages?

     

    Images to help - excuse most of the content blanked out!!

     

  • Hi Michael:

     

    This is more or less what I did, but there are some small differences in our approaches. I'll try following your example by the letter and see how it goes.

     

    Thanks,

    David

  • Michael:

     

    Nope, still no joy. Followed your example to the letter and I still get the same error message. I even turned on Airplane mode so the policy doesn't get overwritten before I have a chance to uninstall.

     

    Thanks anyway.

  • How odd!!

    Is it worth trying to create a group, applying the policy to the group, add  the computer to the group and re synchronising?

    Unless you have another setting allowing the client to stay I still think it's not reading the new configuration?

    On train home now but I'll try looking a little later to see it I've missed anything?

  • To add. Have you used rsop on the console to check that there are no policies over riding your removal policy?
  • Checking the RSOP I can see that someone set the encryption/no uninstall policy to No Override. I've turned that off, added the decryption/uninstall policy to an OU, moved the machine to that OU, resynchronized everything, but it looks like the domain encryption/no uninstall policy is still a higher priority than the OU decryption/uninstall policy. How do I prioritize the OU policy over the domain policy?

  • Great, good progress well done!

    Create a group outside of AD. Right click new group etc...

    Then apply the remove policy you've created to this group. Make the computer a member of this group and you can disable inheritance so it doesn't look at other policies.

    If you get stuck I'll boot up mine and have a look with some screenshots?

  • https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sgn_7_ig_eng_installation.pdf?la=en

     

    I know you're V8 but same guide applies - P72 onwards gives you the steps including selecting no override to enforce this particular policy...

    Hold on if you'd like screenshots. Damn VPN client not installed on this laptop.....

  • So apply the policy to the TOP level of the domain. Before you click SAVE modify who it's assigned to in the bottom half of the window. Here you can see my policy applies to the WHOLE domain but ONLY if you're a member of my decryption group. Automatically it'll assign to all computers/users so drag those out and drag in your decrypt (and uninstall in your case) group.

    Hope this helps - Sorry about the hurried reply, meant to be socialising with friends that have come to visit!

     

  • This worked! In addition to what you recommended, Michael, I also turned off No Override on the encryption policy and turned it on for the decryption/uninstall policy, but only for the specified group. So now I can add the machine name and user to the group, synchronize the client, and decrypt and uninstall the client!

     

    I'm going to set up my test machine again because I still want to see if I can get the MSI approach to work as well. Many of our users that have SafeGuard installed are remote, so it would be easier to just run an MSI on their machines and uninstall then try to get them to synchronize with the server.

     

    Thanks so much for all your assistance! One of my colleagues who is currently on a 3 week vacation claimed he got this working before he left, but I really don't see how that is possible given that the encryption/no uninstall policy was set to no override. I'll have to talk to him next week, especially since I screwed with his console config to get this to work.

     

    I'll update with the results of my MSI test.

  • Great news!

    You're very welcome David, really pleased you've got it sorted.

    Yes the MSI version should work and I imagine it will now work as you've removed the policy that was inherited by everything.

    I think the way we've both done it is better and gives much better control over everything!

    Keep us updated!

    All the best

Reply
  • Great news!

    You're very welcome David, really pleased you've got it sorted.

    Yes the MSI version should work and I imagine it will now work as you've removed the policy that was inherited by everything.

    I think the way we've both done it is better and gives much better control over everything!

    Keep us updated!

    All the best

Children
No Data