Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
During the installation of the Enterprise Console, you are required to enter a username and password for two Windows accounts. These accounts are not automatically created by the installer and therefore must be manually created. Once created, you can then enter the username and the associated password for both accounts into the Enterprise Console installer.
This article contains information regarding these Windows user accounts, why they are required, how to create them and also how they are used.
Note: If you are installing just the Management Console component to a computer, such as a remote Enterprise Console, the account requested during the installation should be the same as the account the Sophos Management Host service is running as on the Sophos management server. This is referenced as SophosManagement in this article.
Applies to the following Sophos products and versions Enterprise Console
Your Sophos management server requires two accounts to be used. One account is used to run a number of services and provide access to the database and the other is used to enable the clients to update from the SophosUpdate share on the server.
Note: The Sophos Update Manager or SUM is a component of the Sophos management server that downloads the software and the Anti-Virus protection updates from the Sophos servers.
We recommend creating two accounts for each role using the following account names:
If your management server is in a domain environment, we recommend that these are domain accounts. On the other hand, if it is part of a workgroup, these should be local accounts on the management server.
Note: Prior to Enterprise Console 5.x, the database account was not required when all components (e.g., console, database, SUM) were installed on the same server. If you are upgrading to Enterprise Console 5.x from a previous version we recommend you create a new database account for this purpose.
If the computer is a member of a Domain, it is recommended to create domain accounts on the domain controller computer. However, it is also possible to create the accounts on the local server that is not the domain controller but it is not recommended.
On the other hand, if the computer is a member of a Workgroup, you should create local accounts.
Depending on the environment that you have as described previously, follow the appropriate section below:
The additional detailed information below is provided for the advanced user who would like to know how the accounts are used.
The database account is used by the Sophos Management Service (the process name is mgntsvc.exe) to connect to the database. During installation, the account is written to the key shown below for the Sophos Management Service to use when connecting to the database.
The following Sophos services (if they exist) are also set to log on as this account:
Enterprise Console also uses the database user to enable it to communicate with the Sophos Management Host service, which implements the web services on the management server. It is for this reason that when installing a remote console, the database account is requested.
The account the Sophos Management Host service runs as should be the same user. It is therefore recommended that the account is a domain account when installing in a domain environment.
The account must fulfill the following requirements:
It is strongly suggested that:
The SUM account is used in the default updating policies within Enterprise Console. It enables the clients to gain access to the distribution locations to perform updates.
The account is required to provide clients read access to the distribution location share, by default: \\[servername]\SophosUpdate\.
It is strongly suggested that the account:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.