We recently faced a situation after a reorganisation where we had about 250 endpoints which had been part of a previous estate which was now closed so we could not recover their tamper protection passwords to point them to our new estate using the --registeronly switch.
The Sophos documentation implies that we'd need to go into Safe Mode to fix each of them. This wasn't possible with the manpower available.
We crafted a solution using an SCCM task sequence.
High level view: create a task sequence to:
- Suspend Bitlocker (if you're using it)
- Reboot into Windows PE
- Mount the installed OS registry in WinPE
- Change the registry keys that would normally be changed in Safe Mode using Sophos' instructions and disable the MCS service (so it doesn't immediately TP itself again on restart)
- Restart the computer in the regular OS
- Run SophosSetup with --quiet --registeronly to get the machine onto the new estate
- Re-enable MCS and restart again to get all the Sophos components working.
Step 3-4 are handled by a script:
reg load HKLM\TEMPSYSTEM C:\Windows\System32\config\SYSTEM
reg load HKLM\TEMPSOFTWARE C:\Windows\System32\config\SOFTWARE
reg add "HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos MCS Agent" /v Start /t REG_DWORD /d 0x00000004 /f
reg add "HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SAVEnabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SEDEnabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\TEMPSOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /v Enabled /t REG_DWORD /d 0 /f
reg unload HKLM\TEMPSYSTEM
reg unload HKLM\TEMPSOFTWARE
Step 7 is a command line:
sc config "sophos mcs agent" start= auto
Hope this helps. If you don't have SCCM it could probably be done using the free MDT.
This thread was automatically locked due to age.
