Sophos UTM: Decommissioning of obsolete URL categorization services CFFS.Click here for important info.

Sophos Central Windows Endpoint: RE-register a device on Sophos central without reinstalling when accidentally deleted from the dashboard

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Hi Everyone,

There are many instances when the user accidentally deletes the device from the central dashboard, and the machine has Sophos endpoint installed. However, it does not report to the central dashboard.

Deleting the device from the Sophos central dashboard does not uninstall the Sophos endpoint on the machine. To uninstall Sophos, please follow the steps mentioned in this article, which need to be performed after disabling tamper protection.

  1. Login into Sophos central
  2. Make sure to disable first the Tamper Protection. You can Retrieve tamper protection password for deleted endpoints and servers from Sophos Central. This option is located in Logs & Reports > Recover Tamper Protection passwords. Click on View details to expand the password(s) that has been set on the endpoint or server. The password at the top of the list is the most recent. This password can be used to authenticate on the local endpoint or server, allowing access to the Settings and the option to disable Tamper Protection.

You will be able to view the list of the deleted endpoints by clicking on View Password Details.

If the device name is not showing under recover tamper protection password, you will need to recover the tamper password with the help of this article

  1. On the endpoint, Stop the Sophos MCS Client service.
  2. Set the Sophos MCS Client service to have a startup type of Automatic (Delayed Start)
  3. Stop the Sophos Managed Threat Response Service (If you have installed the Managed Threat Response component)
  4. Delete the files "Credentials," "EndpointIdentity.txt," and those with the .xml extension that are located in the following path:

Windows 7 and later: C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist

Windows XP: %ALLUSERSPROFILE%\Application Data\Sophos\Management Communications System\Endpoint\Persist

  1. Restart the stopped services (MCS Client and MCS Agent) and perform force update on the endpoint.
  2. Check if the Endpoint is back reporting to the Central.

Updated disclaimer
[edited by: Qoosh at 10:01 PM (GMT -7) on 31 Mar 2023]
Parents Reply Children
  • Per the "Installer command-line options for Mac" link that you have shared, there is a commandline option "--computernameoverride <override for computer name>".  However, it states that "You can only use this option for a new installation."

    The other option is to use the file override,  /Library/Preferences/ called com.sophos.mcs-overrides.plist.  I have tried this option by running these commands (new computer name is johndoe-sdafda)


    sudo defaults write /Library/Perferences/com.sophos.mcs-overrides.plist ComputerNameOverride johndoe-sdafda

    sudo launchctl stop com.sophos.mcs


    The new computer name is displayed on the Sophos Central.  However, the endpoint ID is still the same.


    cat /Library/Preferences/com.sophos.mcs.plist | grep -i uuid -n5


    It shows the same SMEMcsEndpointUUID value.  Disappointed