This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to disable Sophos Endpoint Defense without booting into safe mode

I recently deployed the new Sophos Central Endpoint to over 300 workstations to replace our older Sophos Endpoint. Approximately 20% of the workstations failed during install and were left with these three programs listed in Programs and Features:

  • Sophos AutoUpdate XG
  • Sophos Endpoint Defense
  • Sophos Management Communications System

When I attempt to reinstall the Sophos Central Endpoint on one of these workstations, I get the following error: You must disable Sophos Tamper Protection before you continue. Contact your administrator or see Sophos KBA 119175.

When I attempt to remove the Sophos Endpoint Defense application from Programs and Features, I get the same error. I have attempted to disable Tamper Protection through Sophos Central as well but this has no effect.

I contacted support and was referred to Sophos KBA 124377 which explains how to resolve this issue by booting into safe mode, modifying the registry to disable Sophos Endpoint Defense, and then booting back into Windows. Unfortunately, this is not a workable solution since we have over 60 affected clients all over the country. I have tried modifying the registry keys mentioned in KBA 124337 using Group Policy (both using startup scripts and using Registry Group Policy Preferences) but this has no effect because tamper protection is enabled before they run which locks down the registry keys I need to change.

Anyone have any thoughts on how I can get Sophos Central Endpoint reinstalled on these workstations without having to boot each one into safe mode and manually modifying the registry? Or how to redeploy the client to these workstations since they do have the AutoUpdate component?



This thread was automatically locked due to age.
Parents
  • Hello Christopher Thompson,

    I'm neither a Central nor an SED expert but I fear I'm right when I say there's no other way than 124377. I wonder how this crippled installation came about though. 

    they do have the AutoUpdate component
    Is it working? If it is, it should try to install the missing components but then this very likely fails for the same reason as the initial attempt. Although SAV is not installed - is the SavService present? AFAIK (but this might have changed with SED) installs/uninstalls are only blocked when it is running.

    In either case the failure rate suggests a common cause that you probably have to identify and correct before an install will succeed.

    Christian

Reply
  • Hello Christopher Thompson,

    I'm neither a Central nor an SED expert but I fear I'm right when I say there's no other way than 124377. I wonder how this crippled installation came about though. 

    they do have the AutoUpdate component
    Is it working? If it is, it should try to install the missing components but then this very likely fails for the same reason as the initial attempt. Although SAV is not installed - is the SavService present? AFAIK (but this might have changed with SED) installs/uninstalls are only blocked when it is running.

    In either case the failure rate suggests a common cause that you probably have to identify and correct before an install will succeed.

    Christian

Children
  • As far as I can tell, the only two Sophos processes running are ALsvc.exe (AutoUpdate) and McsClient.exe. Sophos support directed me to replace C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg on a bad install with a copy from a good install. This seems promising because the file is almost empty on bad installs and contains necessary parameters like the server URL, username and password. Unfortunately, if I try to update or replace the file I'm again thwarted by Endpoint Defense.

    The workstations with bad installs are no different from workstations with the good installs, as far as I can tell. I have good and bad installs on all our images and in all of our offices. I haven't been able to figure out why some succeeded and others failed.

  • Hello Christopher Thompson,

    I hope they do something with the logs. Seems that under certain circumstances the Central installer paints itself into a corner. It's somewhat, err, funny that SED is apparently in full operation before the product is successfully installed.

    Christian