Endpoint not connecting to Sophos Central; Can't Uninstall due to Tamper Protection

Hi S Carter,

   If the machine was accidentally removed from central, you should be able to find the last known Tamper Protection password here:

Central.Sophos.com>Logs&Reports>Recover Tamper Protection Password.

If not, you will need to boot the machine to safemode to disable Tamper Protection: https://community.sophos.com/kb/en-us/124377

Once Tamper Protection has been disabled, you need only run the installer through command line as per the following steps:
1. Turn off TP
2. Download installer from correct Central instance
3. Run:  SophosSetup.exe --registeronly
4. Turn on TP
The above steps will cause the machine to register itself with Central.

Once you see the machine in Central again, please let me know if this also resolves the Management Communication 401 error you are seeing.

Hi S Carter,

   If the machine was accidentally removed from central, you should be able to find the last known Tamper Protection password here:

Central.Sophos.com>Logs&Reports>Recover Tamper Protection Password.

If not, you will need to boot the machine to safemode to disable Tamper Protection: https://community.sophos.com/kb/en-us/124377

Once Tamper Protection has been disabled, you need only run the installer through command line as per the following steps:
1. Turn off TP
2. Download installer from correct Central instance
3. Run:  SophosSetup.exe --registeronly
4. Turn on TP
The above steps will cause the machine to register itself with Central.

Once you see the machine in Central again, please let me know if this also resolves the Management Communication 401 error you are seeing.

I don't think it was removed (I checked the Tamper Code recovery report; didn't see it on there), but someone else may have done so.  

I followed the steps to boot the machine to safemode to disable Tamper Protection: https://community.sophos.com/kb/en-us/124377 and then rebooted normally.  Sophos is now reporting some services are off (Device control Service; Anti-Virus).  The next step says to 'Turn off TP', which I'm not understanding.  If I open Sophos it still needs a login to get to the admin, if I run SophosSetup.exe --registeronly it gives an error that Tamper protection is still enabled.

Is there an extra step to turn off TP once I have booted back to win10 normally?  

Hi S Carter,

   Can you confirm that you performed the "Managed by Sophos Central" steps and not the Enterprise Console steps from https://community.sophos.com/kb/en-us/124377?

It is expected behavior for Sophos Anti-Virus service to report as stopped as it was disabled while in Safemode, this will effect dependent services as well.

Please let me know if performing the Central based steps found in the above KB help.

Yes, i followed the Sophos Central (not the enterprise), but looks like I missed a step in there.  I went back and did that step and now Sophos does not show the 'admin' login anymore (assuming this means TP is off).  Trying the --registeronly with a fresh copy of our installer i just pulled down.  Hopefully that works; will let you know.

Tamper Protection was indeed off, it let me do the --registeronly step this time.  Wasn't sure on Re-activation/step4 (re-enable everything from step 1, even the items that were zero already?  only re-activate the ones I had needed to change? etc..), so I just uninstalled and re-installed with the latest version from our cloud instance.  Looks like it worked, the machine is now showing up in Sophos (no prior history before today though, so I'm still pretty sure it never correctly registered rather than it being deleted, but the fix worked either way).

Thanks for your help!

Hi S Carter 

Yes, the endpoint does re-register itself when Management communication service resumes. Feel free to reach out to us if you have any further concerns. 

Hi i have noticed the same with one of our endpoints here. I looked in the logs of machines deleted and it doesn't show up there. I will follow the steps to disable TP but this machine was powered off for about 3 weeks, would this have caused it drop off the management console?

Hi mmacwan 

If the machine does not appear on the central dashboard, it means the endpoint would not communicate with Sophos Central. You will need to disable tamper and re-register the endpoint as stated above in this thread. Let me know how it goes. 

Hi 

I have just followed the steps to disable TP and it still won't do it

I have made the registry amendments in safe mode, booted normally and still it is on, any other ideas?

Hi mmacwan 

After you recover the tamper protection password, could you please follow the below steps and see if it works for you. 

1. Stop the Sophos MCS Client service and Sophos MCS Agent Service
2. Go to path C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist and delete the files with Credentials, EndpointIdentity.txt and those with the .xml extension
3. Restart the Sophos MCS agent service

After performing above steps, machine should reflect on the Sophos Central dashboard. 

Hi Shweta

I actually followed the steps to recover the TP password and this is the thing that didn't work. Any other ideas how i can do this?