Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Hi All,

I wanted to report one issue we've come across.  If removing Windows Endpoint or Server devices from the EDR Data Lake (aka XDR) early access program there is an issue with the downgrade process which results in the device health being "stuck" in whatever state it was at the point the device was removed from the EAP.

Recommendation:

To avoid the situation, the easiest thing to do will be to just leave devices currently enrolled in the EAP until January where we'll be releasing a version of the Sophos endpoint/server which contains a fix for the problem.  

Manually resolve:

If you have or need to remove devices from the early access program the issue can be resolved by rebooting the device after the downgrade.  Disable tamper protection on the device, then delete the file SophosUpdateStatus.xml from the folder below:

C:\ProgramData\Sophos\AutoUpdate\data\status

If you then force an update on the device this update should resolve the issue.

What if I have removed Windows devices from the EAP but don't manually resolve?

If you have or need to remove devices from the EAP but don't run the steps to manually resolve, you will suffer from the problem where the device health is stuck but the issue will still be resolved when a new version of the endpoint/server software is rolled out in January.

Anonymous