Is there a way to report or filter to see which endpoints have Tamper Protection turned off?

Hello Patti,

Currently, there is no report showing the status of Tamper protection on endpoints. 

You can use APIs to query the tamper protection and health status: 

https://developer.sophos.com/ - main page

Tamper protection-related is here https://developer.sophos.com/docs/endpoint-and-server/1/routes/endpoints/%7BendpointId%7D/tamper-protection/get

Also, if you have Endpoint EDR license, you can do a Live Query to find out the same. This post describes the syntax for it:

https://community.sophos.com/intercept-x-endpoint/i/query-forum/live-discover-query---identify-devices-where-tamper-protection-is-disabled

SELECT    CASE    WHEN data LIKE '0' THEN 'DISABLED'    end Tamper_Protection FROM registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' AND name='SEDEnabled' AND data=0;

Finally, this page contains some API scripts that our Professional services created - such as Sophos Health script that also shows the status of Tamper protection.  https://github.com/sophosukps/

Hope that helps!

Thank you for that detail....however, I do think development should think about adding a quick way to view the status of all devices that have the tamper protection turned off within the portal!

Very good suggestion! Sophos Central is getting a big reporting and interface overhaul later this year! 

Awesome...I will look forward to that!  Thank you.

Thanks for sharing the Github scripts. This is great!