Approved

Live Discover Query - identify devices where Tamper Protection is disabled

  REVIEWED by Sophos 

As a simple query highlighting the power of Live Query for ad-hoc reporting, we can easily get the tamper protection state for the computers selected:

select data,path from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' AND name='SEDEnabled' AND data=0;

Regards,

Jak