Sophos Central Windows Endpoint: RE-register a device on Sophos central without reinstalling when accidentally deleted from the dashboard

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Hi Everyone,

There are many instances when the user accidentally deletes the device from the central dashboard, and the machine has Sophos endpoint installed. However, it does not report to the central dashboard.

Deleting the device from the Sophos central dashboard does not uninstall the Sophos endpoint on the machine. To uninstall Sophos, please follow the steps mentioned in this article, which need to be performed after disabling tamper protection.

  1. Login into Sophos central
  2. Make sure to disable first the Tamper Protection. You can Retrieve tamper protection password for deleted endpoints and servers from Sophos Central. This option is located in Logs & Reports > Recover Tamper Protection passwords. Click on View details to expand the password(s) that has been set on the endpoint or server. The password at the top of the list is the most recent. This password can be used to authenticate on the local endpoint or server, allowing access to the Settings and the option to disable Tamper Protection.

You will be able to view the list of the deleted endpoints by clicking on View Password Details.

Note:
If the device name is not showing under recover tamper protection password, you will need to recover the tamper password with the help of this article

  1. On the endpoint, Stop the Sophos MCS Client service.
  2. Set the Sophos MCS Client service to have a startup type of Automatic (Delayed Start)
  3. Stop the Sophos Managed Threat Response Service (If you have installed the Managed Threat Response component)
  4. Delete the files "Credentials," "EndpointIdentity.txt," and those with the .xml extension that are located in the following path:

Windows 7 and later: C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist

Windows XP: %ALLUSERSPROFILE%\Application Data\Sophos\Management Communications System\Endpoint\Persist

  1. Restart the stopped services (MCS Client and MCS Agent) and perform force update on the endpoint.
  2. Check if the Endpoint is back reporting to the Central.


Updated disclaimer
[edited by: Qoosh at 10:01 PM (GMT -7) on 31 Mar 2023]
Parents
  • The steps with deleting the files would force the endpoint to get a brand new endpoint ID from Central. In most cases with accidentally deleted machines less than 90 days ago (they still show up in Recover Tamper Protection Passwords report) is to either do 1) disable tamper protection through endpoint interface 2) run SophosSetup.exe --registeronly (what MEric suggested above) in elevated command prompt which is very quick, or just run SophosSetup.exe overtop of existing install, which will take longer but will accomplish the same (in case of non-technical users it might be easier to instruct them to do remotely.) 

  • On a Mac, how would it possible to force the endpoint to get a brand new endpoint ID from Central?

    I have tried to follow this article, Sophos Central Mac Endpoint: How to re-register Mac.

    https://support.sophos.com/support/s/article/KB-000035092?language=en_US

    However, after a restart, the endpoint ID is still the same.

    I have an open support ticket to resolve endpoints that have duplicate endpoint ID with other endpoints.   

  • If you override the name as per Installer command-line options for Mac (sophos.com) that would have to work if that's an option

  • Per the "Installer command-line options for Mac" link that you have shared, there is a commandline option "--computernameoverride <override for computer name>".  However, it states that "You can only use this option for a new installation."

    The other option is to use the file override,  /Library/Preferences/ called com.sophos.mcs-overrides.plist.  I have tried this option by running these commands (new computer name is johndoe-sdafda)

    "

    sudo defaults write /Library/Perferences/com.sophos.mcs-overrides.plist ComputerNameOverride johndoe-sdafda

    sudo launchctl stop com.sophos.mcs

    "

    The new computer name is displayed on the Sophos Central.  However, the endpoint ID is still the same.

    "

    cat /Library/Preferences/com.sophos.mcs.plist | grep -i uuid -n5

    "

    It shows the same SMEMcsEndpointUUID value.  Disappointed

Reply
  • Per the "Installer command-line options for Mac" link that you have shared, there is a commandline option "--computernameoverride <override for computer name>".  However, it states that "You can only use this option for a new installation."

    The other option is to use the file override,  /Library/Preferences/ called com.sophos.mcs-overrides.plist.  I have tried this option by running these commands (new computer name is johndoe-sdafda)

    "

    sudo defaults write /Library/Perferences/com.sophos.mcs-overrides.plist ComputerNameOverride johndoe-sdafda

    sudo launchctl stop com.sophos.mcs

    "

    The new computer name is displayed on the Sophos Central.  However, the endpoint ID is still the same.

    "

    cat /Library/Preferences/com.sophos.mcs.plist | grep -i uuid -n5

    "

    It shows the same SMEMcsEndpointUUID value.  Disappointed

Children
No Data