Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Hi Everyone,
There are many instances when the user accidentally deletes the device from the central dashboard, and the machine has Sophos endpoint installed. However, it does not report to the central dashboard.
Deleting the device from the Sophos central dashboard does not uninstall the Sophos endpoint on the machine. To uninstall Sophos, please follow the steps mentioned in this article, which need to be performed after disabling tamper protection.
- Login into Sophos central
- Make sure to disable first the Tamper Protection. You can Retrieve tamper protection password for deleted endpoints and servers from Sophos Central. This option is located in Logs & Reports > Recover Tamper Protection passwords. Click on View details to expand the password(s) that has been set on the endpoint or server. The password at the top of the list is the most recent. This password can be used to authenticate on the local endpoint or server, allowing access to the Settings and the option to disable Tamper Protection.
You will be able to view the list of the deleted endpoints by clicking on View Password Details.
Note: If the device name is not showing under recover tamper protection password, you will need to recover the tamper password with the help of this article.
- On the endpoint, Stop the Sophos MCS Client service.
- Set the Sophos MCS Client service to have a startup type of Automatic (Delayed Start)
- Stop the Sophos Managed Threat Response Service (If you have installed the Managed Threat Response component)
- Delete the files "Credentials," "EndpointIdentity.txt," and those with the .xml extension that are located in the following path:
Windows 7 and later: C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist
Windows XP: %ALLUSERSPROFILE%\Application Data\Sophos\Management Communications System\Endpoint\Persist
- Restart the stopped services (MCS Client and MCS Agent) and perform force update on the endpoint.
- Check if the Endpoint is back reporting to the Central.
Updated disclaimer
[edited by: Qoosh at 10:01 PM (GMT -7) on 31 Mar 2023]