This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tamper Protection Removal Tool

Hello,

We had a previous IT company that we have dropped and they supposedly removed Sophos Endpoint Protection on 200+ devices but we found it on 145 ish devices. They won't give us access to the portal and they are stating there is nothing they can do about these devices. I have tried contacting support and get referred to the manual removal process which just isn't feasible at the amount of devices we have.

I recall a similar instance years ago and there was a removal tool but support just absolutely refuses to help us. What are our options?



This thread was automatically locked due to age.
Parents
  • It sounds like they didn't complete their job.

    If they delete some/all the computers in Sophos Central (select all and choose delete), there is a report page for all the deleted devices and their password - https://cloud.sophos.com/manage/reports/deleted-devices/create

    This report can be exported to a csv file.  If you had this you could create a script which extracts the right password for the local computer (based on name) and uses SEDCli.exe to disable tamper protection. From there you can do whatever.

    This would be one option but you would need that export, It is a 1 minute job to delete all the computers and export the report. 

    They could also disable Tamper for all computers globally - https://cloud.sophos.com/manage/config/settings/tamper-protection - for any computers that are managed and still able to get policy, this would disable tamper.  I think there is a change coming that disables tamper protection when you delete a computer.  I don't think that change has been released yet.

Reply
  • It sounds like they didn't complete their job.

    If they delete some/all the computers in Sophos Central (select all and choose delete), there is a report page for all the deleted devices and their password - https://cloud.sophos.com/manage/reports/deleted-devices/create

    This report can be exported to a csv file.  If you had this you could create a script which extracts the right password for the local computer (based on name) and uses SEDCli.exe to disable tamper protection. From there you can do whatever.

    This would be one option but you would need that export, It is a 1 minute job to delete all the computers and export the report. 

    They could also disable Tamper for all computers globally - https://cloud.sophos.com/manage/config/settings/tamper-protection - for any computers that are managed and still able to get policy, this would disable tamper.  I think there is a change coming that disables tamper protection when you delete a computer.  I don't think that change has been released yet.

Children