This may be useful for people with lost tamper protection passwords

We recently faced a situation after a reorganisation where we had about 250 endpoints which had been part of a previous estate which was now closed so we could not recover their tamper protection passwords to point them to our new estate using the --registeronly switch.

The Sophos documentation implies that we'd need to go into Safe Mode to fix each of them.  This wasn't possible with the manpower available.

We crafted a solution using an SCCM task sequence.

High level view: create a task sequence to:

  1. Suspend Bitlocker (if you're using it)
  2. Reboot into Windows PE
  3. Mount the installed OS registry in WinPE
  4. Change the registry keys that would normally be changed in Safe Mode using Sophos' instructions and disable the MCS service (so it doesn't immediately TP itself again on restart)
  5. Restart the computer in the regular OS
  6. Run SophosSetup with --quiet --registeronly to get the machine onto the new estate
  7. Re-enable MCS and restart again to get all the Sophos components working.

Step 3-4 are handled by a script:

reg load HKLM\TEMPSYSTEM C:\Windows\System32\config\SYSTEM
reg load HKLM\TEMPSOFTWARE C:\Windows\System32\config\SOFTWARE

reg add "HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos MCS Agent" /v Start /t REG_DWORD /d 0x00000004 /f

reg add "HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SAVEnabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Config" /v SEDEnabled /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\TEMPSOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection" /v Enabled /t REG_DWORD /d 0 /f

reg unload HKLM\TEMPSYSTEM
reg unload HKLM\TEMPSOFTWARE

Step 7 is a command line:

sc config "sophos mcs agent" start= auto

Hope this helps.  If you don't have SCCM it could probably be done using the free MDT.