Migrate from non-Sophos endpoint protection to Sophos Central endpoint protection.

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Phase 1: Prepare for migration.


In this step, you prepare to make sure you have the right product license, be ready with the list of assets and validate the devices for minimum system requirements. To get started, follow the below topics.

1. Choose the license

Choosing your Sophos Endpoint Protection license is essential in preparing for your migration.

Sophos Products are licensed or made available by the applicable units specified in the table below. The Schedule issued by Sophos specifies the number of applicable units that the Customer has ordered for each Product.

Definitions for Sophos Products

1.'Computer' means any device or computing environment which benefits from the Product (for example, but without limitation, workstations, personal computers, laptops, netbooks, tablets, smartphones, and environments connected to an email server, an internet proxy or a gateway device, or a database). The Product does not have to be physically installed on the computer environment to provide benefits, nor is there a requirement for the computing hardware to be owned by the Customer. The term Computer as defined herein includes non-persistent deployments, electronic devices capable of retrieving data, and virtual machines.

2.'Server' means a Computer (I) upon which the Product is installed or (ii) which benefits from the Product, wherein the computer provides at least one application, client service, or capability.

3.'User' means an employee, consultant or another individual who benefits from the Product.

NOTE: The Product does not have to be physically installed on the User's computer environment to provide benefit to the User.

Read more about the licensing guidelines here.

Sophos Central Products

Licensing Model

Applicable Unit

Central Intercept X Advanced


per User

Central Intercept X Advanced with XDR


per User

Central Intercept X Advanced for Server


per Server

Central Intercept X Advanced for Server with XDR


per Server


Managed Services

Licensing Model

Applicable Unit

Managed Detection and Response


per User

Managed Detection and Response Complete


per User

Managed Detection and Response Server


per Server

Managed Detection and Response Complete Server


per Server


License Features

Sophos Central product licenses have power-packed features to detect, prevent and respond to a threat or malware.

The below document will help you understand the available features for the license you choose.

If you are yet to decide and feel you need more help to figure it out, we have our best sales team in the wild. Please see the contacts section to reach out to our sales team.

If you already chose your license, continue to read the below sections.

2. Collect the asset list

The next thing you do is to collect your devices list from your active directory. This will help identify the license requirements that must be purchased and help prepare those devices for Sophos endpoint protection deployment.

How to collect the asset list

You can collect the asset lists by using your AD (Active Directory) management tool or by using PowerShell to execute a command and export the list.

Using 3rd party tool:

If you manage your active directory via 3rd party tools, you can utilize it to export a list of all computers and save it as a csv file. You may need to customize the columns with specific column names as mentioned below.

Name, OperatingSystem, ipv4Address, LastLogonDate”

Using PowerShell:

Follow the below steps:

  1. Login to your active directory server
  2. Click Start > type CMD > Right click “Command Prompt” and run as Administrator.
  3. type powershell and press Enter.
  4. Now type or copy-paste the below code

Continue to read the below sections.

3. Check the minimum system requirement

We recommend you check the minimum system requirements for your endpoints before we install the Sophos endpoint protection.

Each of the product licenses has varying system requirements and it is important that you verify in at least one computer and one server that it satisfies the recommended values as per the table below.

Windows Endpoint System Requirement

Supported platforms                                                    

Windows 7, 8, 8.1, 10, and 11


Intercept X Advanced

Intercept X Advanced with XDR

Intercept X Advanced with XDR and MDR

Free disk space

4 GB

8 GB

8 GB


4 GB

4 GB

4 GB





Windows Server System Requirement


System Requirements

Supported platforms

Supported languages

Intercept X Advanced for Server

·        Hard disk space: 8 GB free

·        RAM: 8 GB

·        Cores: 2


Windows Server

·        2022

·        2019

·        2016

·        2012 R2

·        2012

·        SBS 2011

·        2008 R2




·        English

·        French

·        German

·        Italian

·        Japanese

·        Spanish

·        Simplified Chinese

·        Traditional Chinese

Intercept X Advanced for Server with XDR

·        Hard disk space: 10 GB free

·        RAM: 8 GB

·        Cores: 2

Intercept X Advanced for Server with XDR and MDR

·        Hard disk space: 10 GB free

·        RAM: 8 GB

·        Cores: 2

For more information about the minimum system requirements, please read the articles below.

Windows Endpoint System Requirements
Windows Server system requirements
XDR Sensor Only Supported Platform

Step 1 of preparation is now complete, continue to read the below sections.


In this step, you prepare to set up a new Sophos Central account and get it activated. Follow the topics below to get started.

1. Setup Sophos Central account

By following the steps below, you can easily signup for a Sophos Central Trial account.

  1. Go to https://www.sophos.com/en-us/products/sophos-central.aspx and click Free Trial.
  2. On the Sophos Central Free Trial page, enter your name, and email address, and click Next.
  3. On the next page, complete the rest of the details. Click Submit.
  4. You see confirmation that your account is ready.
  5. Check your email for a welcome email from Sophos and continue to the next section.
    If you cannot see the email, check your junk, or spam folders.


2. Activate your Sophos Central account

To activate your account and get your security software, do as follows:

  1. Open the welcome email from Sophos.
  2. In the email, click Create Password.
  3. Now you see the Activate your account
  4. You must use a password that meets the following rules:
    • At least 8 characters.
    • At least one lowercase character.
    • At least one uppercase character.
    • At least one number or distinctive character.
  1. Select a Central Admin Portal Your data is stored in this region.
    Your Sophos Partner might have selected this for you.
  2. Read and acknowledge the legal agreements.
  3. Click Activate Account
  4. A message prompts you to set up an additional form of authentication. Click Next
  5. On the next screen, do as follows:
  6. Enter the security code we just sent to your email address. The email's subject line is "Your security code".
  7. Create a PIN (Personal Identification Number) that can be used for email authentication.
  8. On the next screen, select the type of authentication you want to use.
    In this guide, we will describe setting up the SMS text message option. This lets us send you security codes by text message so that you can sign in.
  9. On the Verify Your Device screen, you need to enter a security code to sign into Sophos Central. You will find the code in a text message we have just sent you. Enter the code and click Finish. You will need to do this each time you sign in.
  10. Now you can exit the Product setup popup screen.


With this, you have successfully completed setting up a new Sophos Central account and have activated it.
If you are unable to follow the steps, The Sophos Central start-up guide with screenshots can help you with the setup and activation.

Read our GDRP compliance statement in the below article.


Phases 2: Setup resources for migration


In this step, you must set up the network to ensure it allows Sophos domains and prioritizes devices to install the Sophos endpoint protection.

1. Setup Firewall/Proxy to allow domains and ports

This is mandatory to perform as it will allow your devices to communicate with Sophos Central.

The list is extensive and is subject to change as the product goes through changes and upgrades. Please visit the link below to know the domains and ports that you need to allow.

URL: Domain and ports to allow

2. Prioritize devices

From the list of devices, you have exported from AD, curate another list that has prioritized devices to install with Sophos endpoint protection.

This list can be saved in the same AD exported file or you can create a new file.


In this step, you set up devices to make sure it is updated with the latest windows patch and security updates.

1. Update devices

To update your devices with the latest patch and security updates. Review Microsoft’s update procedure and align those with your update management to make sure that devices are up to date.

This also includes that you update your existing endpoint protection solution with the latest updates.

This is only required to make sure that the devices are compliant with your organization’s security policy, and it also reduces the failure of removal of your existing endpoint protection software.

2. Choose the deployment method

Sophos supports various deployment methods to automate and ease the installation of Sophos endpoint protection to your devices.

Below are some methods we recommend you use for automating the installation.

  • An active Directory startup script
  • Using a batch file
  • Using a PowerShell script
  • Intune deployment
  • MECM (SCCM) deployment

We have an article describing the steps for each method mentioned above and providing an example of deploying Sophos endpoint protection to a windows device.

URL: Automate the software deployment to devices.

We also allow using 3rd party deployment tools such as PDQ and Ansible. However, the support for troubleshooting issues with this 3rd party application is out of Sophos support scope.

If you need help with a deployment strategy discussion, planning and execution, we strongly recommend you join our Professional services team to help you with customizing the deployment. See the contact section.

Phase 3: Deploy Sophos endpoint protection.


In this step, you must choose the right protection modes and review the configuration after deployment.

Before you begin, you need to read about our competitor removal tool (CRT).

1. Know about Competitor Removal Tool (CRT)

The CRT is a program that runs during the deployment/installation of Sophos Endpoint that detects and attempts to remove third-party software. Removal of third-party software is not guaranteed and is optional but turned on by default and it will attempt to remove non-Sophos software.

We have a list of supported 3rd party security products that will be removed by CRT, refer to Sophos CRT product list.

2. Choose protection mode.

With our next-gen anti-virus solution, we now provide Sensor-only deployments to customers having Intercept X Advanced with an XDR license.

Intercept X Advanced with an XDR license offers XDR Sensor as an installation specifically designed for our customers who wish to see our detection, investigation, and response capabilities along with the existing non-Sophos endpoint protection. Later after the sensor-only installation is completed, you can choose to remove/uninstall the non-Sophos endpoint protection to upgrade it to a full Sophos endpoint protection.

You can either choose to deploy XDR Sensor or full Sophos endpoint protection.

3. Installation of Sophos endpoint protection

If you do not have the Intercept X Advanced with XDR license, skip to the “Full Sophos Protection deployment” section below.


Deployment instructions

Note: Before you begin the installation, we strongly recommend you read the XDR Sensor Only Supported Platform.

XDR Sensor only deployment – Uninstall non-Sophos endpoint protection.
  1. Download XDR Sensor from the Sophos Central dashboard or visit this link to know how to download it.
  2. Use any deployment methods you previously selected in phase 2 for installation.
  3. After a successful installation, Login to the Sophos Central dashboard to manage your devices.
  4. Now you can look at our “Threat Analysis Center” in the dashboard to see how the detections and alerts are presented.
  5. Once you are ready to uninstall your existing non-Sophos endpoint protection, follow your vendor-recommended procedure to uninstall it if Sophos CRT does not support the uninstallation.
  6. Once you are completed with uninstallation and ready to upgrade Full Sophos Protection, continue to read the below section.
Full Sophos Protection deployment

From the Sophos Central dashboard that will manage the devices, download the installer SophosSetup.exe.

  1. At this stage, If the machines are deployed with an XDR sensor, the full protection upgrade can be performed via Sophos central.
  2. Select Endpoint Protection under “My Products” and select Computers.
  3. Select the device that you wish to upgrade to full protection.
  4. Click “Manage Endpoint Software” and then choose the products under protection from the drop-down.
  5. If it is a new installation then proceed with the below steps.
  6. Go to Protect Devices> under Endpoint Protection > select Download Complete Windows Installer


  • Though the link shows Complete Windows Installer, this is a thin installer that deploys all the features available depending on your license, for example, Sophos Intercept X Advanced with XDR + Device encryption.
  1. If you do not want Device encryption, you can avoid the Device encryption from downloading.
    From the same location select > Choose Components… and unselect Device Encryption
  2. Click ok and download the setup.
  3. Check the Sophos CRT product list to verify if your existing non-Sophos endpoint protection can be uninstalled.
  4. If the CRT does not support the uninstallation of your existing non-Sophos endpoint protection, follow your vendor-recommended procedure to uninstall it.
  5. After uninstalling your existing non-Sophos endpoint protection, use any deployment methods you previously selected in phase 2 for installation.

The same applies to Server Protection except that it does not have Device Encryption or the option to choose components. Server Protection comes with Full malware protection and lockdown features depending on the license.


1. Review the policy configuration

Intercept X is a powerful product. It has multiple layers of protection to protect against lots of different threat vectors and does not rely on one specific form of scanning. As we all know, however, great power comes with great responsibility. That responsibility, in our case, comes in the form of Policy configuration.

Misconfigured policies lead to critical pieces of that threat protection fortress of defence being inactive when the threat actor starts attacking and put you in a position you do NOT want to be in as the IT (Information Technology) guy. We know there are a ton of configuration options available, and it can be a bit daunting at first.

We have an article published on how you can review the policy configuration for Sophos Central Intercept X and follow the best practices.
URL: Best Practices for Sophos Central Intercept X Endpoint



Support page


Sophos Professional Services


Sophos Sales Regional Contacts


We can probably also add the link to the Licensing page on the Sophos website - https://www.sophos.com/en-us/legal/license-entitlement-and-usage-policy [GR1]

Updated disclaimer
[edited by: Qoosh at 8:05 PM (GMT -7) on 31 Mar 2023]