We recently faced a situation after a reorganisation where we had about 250 endpoints which had been part of a previous estate which was now closed so we could not recover their tamper protection passwords to point them to our new estate using the --registeronly switch.
The Sophos documentation implies that we'd need to go into Safe Mode to fix each of them. This wasn't possible with the manpower available.
We crafted a solution using an SCCM task sequence.
High level view: create a task sequence to:
Step 3-4 are handled by a script:
reg load HKLM\TEMPSYSTEM C:\Windows\System32\config\SYSTEMreg load HKLM\TEMPSOFTWARE C:\Windows\System32\config\SOFTWARE
reg add "HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos MCS Agent" /v Start /t REG_DWORD /d 0x00000004 /f
reg add "HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SAVEnabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SEDEnabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\TEMPSOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /v Enabled /t REG_DWORD /d 0 /f
reg unload HKLM\TEMPSYSTEMreg unload HKLM\TEMPSOFTWARE
Step 7 is a command line:
sc config "sophos mcs agent" start= auto
Hope this helps. If you don't have SCCM it could probably be done using the free MDT.
Hi Karl Admin,
Thank you for sharing this workaround and we're glad to hear that this work out for you without any issue. However, this method isn’t officially supported so we can't recommend this to use.