Sophos Central Windows Endpoint: RE-register a device on Sophos central without reinstalling when accidentally deleted from the dashboard

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Hi Everyone,

There are many instances when the user accidentally deletes the device from the central dashboard, and the machine has Sophos endpoint installed. However, it does not report to the central dashboard.

Deleting the device from the Sophos central dashboard does not uninstall the Sophos endpoint on the machine. To uninstall Sophos, please follow the steps mentioned in this article, which need to be performed after disabling tamper protection.

  1. Login into Sophos central
  2. Make sure to disable first the Tamper Protection. You can Retrieve tamper protection password for deleted endpoints and servers from Sophos Central. This option is located in Logs & Reports > Recover Tamper Protection passwords. Click on View details to expand the password(s) that has been set on the endpoint or server. The password at the top of the list is the most recent. This password can be used to authenticate on the local endpoint or server, allowing access to the Settings and the option to disable Tamper Protection.

You will be able to view the list of the deleted endpoints by clicking on View Password Details.

Note:
If the device name is not showing under recover tamper protection password, you will need to recover the tamper password with the help of this article

  1. On the endpoint, Stop the Sophos MCS Client service.
  2. Set the Sophos MCS Client service to have a startup type of Automatic (Delayed Start)
  3. Stop the Sophos Managed Threat Response Service (If you have installed the Managed Threat Response component)
  4. Delete the files "Credentials," "EndpointIdentity.txt," and those with the .xml extension that are located in the following path:

Windows 7 and later: C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist

Windows XP: %ALLUSERSPROFILE%\Application Data\Sophos\Management Communications System\Endpoint\Persist

  1. Restart the stopped services (MCS Client and MCS Agent) and perform force update on the endpoint.
  2. Check if the Endpoint is back reporting to the Central.


Updated disclaimer
[edited by: Qoosh at 10:01 PM (GMT -7) on 31 Mar 2023]
Parents
  • The steps with deleting the files would force the endpoint to get a brand new endpoint ID from Central. In most cases with accidentally deleted machines less than 90 days ago (they still show up in Recover Tamper Protection Passwords report) is to either do 1) disable tamper protection through endpoint interface 2) run SophosSetup.exe --registeronly (what MEric suggested above) in elevated command prompt which is very quick, or just run SophosSetup.exe overtop of existing install, which will take longer but will accomplish the same (in case of non-technical users it might be easier to instruct them to do remotely.) 

  • On a Mac, how would it possible to force the endpoint to get a brand new endpoint ID from Central?

    I have tried to follow this article, Sophos Central Mac Endpoint: How to re-register Mac.

    https://support.sophos.com/support/s/article/KB-000035092?language=en_US

    However, after a restart, the endpoint ID is still the same.

    I have an open support ticket to resolve endpoints that have duplicate endpoint ID with other endpoints.   

  • If you override the name as per Installer command-line options for Mac (sophos.com) that would have to work if that's an option

  • Per the "Installer command-line options for Mac" link that you have shared, there is a commandline option "--computernameoverride <override for computer name>".  However, it states that "You can only use this option for a new installation."

    The other option is to use the file override,  /Library/Preferences/ called com.sophos.mcs-overrides.plist.  I have tried this option by running these commands (new computer name is johndoe-sdafda)

    "

    sudo defaults write /Library/Perferences/com.sophos.mcs-overrides.plist ComputerNameOverride johndoe-sdafda

    sudo launchctl stop com.sophos.mcs

    "

    The new computer name is displayed on the Sophos Central.  However, the endpoint ID is still the same.

    "

    cat /Library/Preferences/com.sophos.mcs.plist | grep -i uuid -n5

    "

    It shows the same SMEMcsEndpointUUID value.  Disappointed

  • Hello ,

    I will give you general info about this and then answer your exact question:

    Why endpoints can get the same Central ID:

    For Windows systems, this typically only occurred if an image/copy was made of a system without proper preparation. For Macs, it can occur due to other reasons as well, detailed here:

     #1) Apple has a poor default naming scheme of <FirstName>’s <SystemModel>.  So if you use the same account to do the initial mac setup, like a helpdesk account, you get “Helpdesk’s macbook pro”.  Note: Windows uses random characters, Linux doesn’t have a default hostname.  Windows also warns and flags if it sees another system with the same name on the network (NetBios).

     #2) Apple does not use the concept of “Domain name”, so we just report a default of “workgroup”.

     #3) Central uses the following information to determine if a system needs a new ID, or it is a reinstall of our software on an existing system (or reinstall of the OS); System Name, Domain Name, and Fully Qualified Domain Name/DNS Name.

     So the issue becomes with a common system name (#1), a common domain name (#2), and an FQDN that is the same (on an internal system it would be system name (#1).local), then due to the parameters in #3, it assigns the same Central ID to the Endpoint.

     The only way to prevent this fully is to tackle #1.  Make sure the system is renamed before installing Sophos, which is a workflow change.

     Now what are we (Sophos), doing about this. We are enabling detection of the condition of multiple endpoints using the same ID in Central, referred to as Endpoint De-duplication. This is currently being tested as of mid-September 2021. This detects when multiple different systems are using the same ID to communicate to Central, locks out that ID, and forces all systems trying with that ID to re-register with a flag for a new ID only.  This will split them out.  It unfortunately does not remediate any groups of duplicate users, but it will them prevent more from being created (as the underlying problem has been corrected).

     If the workflow is not adjusted, this de-duplication will still trigger, and result in “locked” endpoints that were the original ID. These can be removed manually from Central by the customer after systems have been split out.

    Now answering your question - in order for the machine to get new UUID those exact steps absolutely need to be followed (no workaround):

    1) uninstall the endpoint.
    2) rename the system
    3) reboot
    4) reinstall Sophos

    only in this order or the Sophos Central record will be updated.

    Hope that helps!

  • Thank you for providing more explanation.  

    I have started the process of renaming the computer name to have unique value.  

    I believe that I have tried similar steps with just 1 user.  The user's computer name has changed and is unique.  However, besides still having the same endpoint ID, the endpoint is intermittently disappearing from Sophos Central (i.e. sometimes it is searchable under the Devices page).  

    I will try again with the exact 4 steps that you have mentioned.

    I have tried to call the Endpoint API to find the duplicate endpoint ID.  However, the API returned values do not show any duplicate endpoint ID.

    Is there way to programmatically identify duplicate endpoint ID?  Otherwise, it is a pain to manually look for endpoint with the same names on Sophos Central.  Disappointed

Reply
  • Thank you for providing more explanation.  

    I have started the process of renaming the computer name to have unique value.  

    I believe that I have tried similar steps with just 1 user.  The user's computer name has changed and is unique.  However, besides still having the same endpoint ID, the endpoint is intermittently disappearing from Sophos Central (i.e. sometimes it is searchable under the Devices page).  

    I will try again with the exact 4 steps that you have mentioned.

    I have tried to call the Endpoint API to find the duplicate endpoint ID.  However, the API returned values do not show any duplicate endpoint ID.

    Is there way to programmatically identify duplicate endpoint ID?  Otherwise, it is a pain to manually look for endpoint with the same names on Sophos Central.  Disappointed

Children