Browse Live Discover and Response Queries by Category
Approved

Verify if an endpoint agent is on the new SDDS3 update mechanism

This query will verify if the Sophos Endpoint Agent is on the new SDDS3 update mechanism.

https://support.sophos.com/support/s/article/KB-000043550?language=en_US

SDDSStatus will indicate if the endpoint is on SDDS2 or SDDS3.

An SDDS3Ready status when the endpoint is still on SDDS2 means either controlled or scheduled updates are configured, and the endpoint is ready to update once automatic updating is resumed.

SELECT
	(SELECT
		CASE
			WHEN data = "RECOMMENDED" THEN 'GA'
			WHEN data = "BETA" THEN 'EAP'
		END 
	FROM
		registry
	WHERE key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service\CloudSubscriptions\Base\" AND name='Tag') as UpdateStream,

	(SELECT
		CASE
			WHEN data = 2 THEN 'SDDS2 ❌'
			WHEN data = 3 THEN 'SDDS3 ✅'
		END 
	FROM
		registry
	WHERE key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\" AND name LIKE '%Version') as SDDSStatus,

	(SELECT
		CASE
			WHEN data = 0 THEN 'NO'
			WHEN data = 1 THEN 'YES'
		END 
	FROM
		registry
	WHERE key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags\" AND name='sdds3.ready') as SDDS3Ready

Sylvain_Roy

  • Updated the query a bit to add the version number (which will indicate BETA if the endpoint is enrolled into EAP), and logic to enter N/A for SDD3Ready if SDD3 is already enabled.

    WITH 

SDDS3Enabled AS (SELECT
   CASE
      WHEN data LIKE '3' THEN 'Yes ✅'
      ELSE 'No ❌'
   END AS SDDS3Enabled
FROM registry 
WHERE key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\" AND name LIKE '%Version'),

SDDS3Ready AS (SELECT
   CASE
      WHEN data LIKE '1' THEN 'Yes ✅'
      ELSE 'No ❌'
   END AS SDDS3Ready
FROM registry 
WHERE key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags\" AND name='sdds3.ready'),

Version AS (SELECT data as VersionNumber
FROM registry 
WHERE key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\Details\" AND name='Version')

SELECT VersionNumber, SDDS3Enabled,
   CASE
      WHEN SDDS3Enabled = 'Yes ✅' then 'N/A'
      WHEN SDDS3Ready = 'No ❌'then SDDS3Ready
   END as SDDS3Ready
FROM SDDS3Enabled JOIN SDDS3Ready JOIN Version

Unfiltered HTML