Is there a way to report or filter to see which endpoints have Tamper Protection turned off?

Hello Patti,

Currently, there is no report showing the status of Tamper protection on endpoints. 

You can use APIs to query the tamper protection and health status: 

https://developer.sophos.com/ - main page

Tamper protection-related is here https://developer.sophos.com/docs/endpoint-and-server/1/routes/endpoints/%7BendpointId%7D/tamper-protection/get

Also, if you have Endpoint EDR license, you can do a Live Query to find out the same. This post describes the syntax for it:

https://community.sophos.com/intercept-x-endpoint/i/query-forum/live-discover-query---identify-devices-where-tamper-protection-is-disabled

SELECT    CASE    WHEN data LIKE '0' THEN 'DISABLED'    end Tamper_Protection FROM registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' AND name='SEDEnabled' AND data=0;

Finally, this page contains some API scripts that our Professional services created - such as Sophos Health script that also shows the status of Tamper protection.  https://github.com/sophosukps/

Hope that helps!

Thanks for sharing the Github scripts. This is great!

Thanks for sharing the Github scripts. This is great!