Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!

Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates

Sophos Central Windows Endpoint: How to automate the software deployment to computers

  • Article ID: 120611
  • Updated: 18 Mar 2020
  • 26 people found this helpful

Overview

This knowledge base  article describes information on how to deploy Sophos Central endpoint software to Windows computers using common automated software deployment methods. It provides a couple of examples to cover common deployment methods.

Before installation, removal of the following software packages is required:

  • Sophos Patch
  • Sophos Client Firewall
  • Sophos Anti-Virus, if the following have been enabled on the computer:
    • Web control
    • Data control
    • Application control

If a device control policy has been set to a computer, the uninstallation of Sophos Anti-Virus requires a restart to unload and re-install the kernel driver sdcfilter.sys.

The following sections are covered:

Applies to the following Sophos product(s) and version(s)
Central Windows Endpoint 10.8.1
Central Windows Endpoint Intercept X 2.0.0

What to do

  1. From the Sophos Central Admin that will manage the endpoint/s, download the installer SophosSetup.exe. Go to Protect Devices > under Endpoint Protection > select Download Complete Windows Installer

    Note: Though the link shows Complete Windows Installer, this is actually a thin installer which deploys all the features available depending on your license (e.g. Sophos Intercept X Advanced with EDR + Device encryption).
    Do not use a user-specific SophosSetup.exe as received via the Email Deployment workflow for the deployment methods. If you do, all devices will be associated to the Sophos Central user that sent the email.

  2. Deploy the SophosSetup.exe to your endpoints through one of the automated deployment methods discussed below.

Active Directory (AD) startup script

SophosSetup.exe requires an administrator privilege to run on the computer. If you wish to deploy using login scripts, the logged in user account should be an administrator of the computer for the installation to succeed.

For the deployment via the Active Directory startup script, the logged in users no longer have to be the local administrators of the computers.

Creating SophosCentralEndpointInstall.bat

  1. Copy the file SophosSetup.exe to a shared location which is accessible by the computers you wish to install to.

  2. In a text editor such as Notepad, paste the following text:
    @echo off
    SET MCS_ENDPOINT=Sophos\Management Communications System\Endpoint\McsClient.exe
    IF "%PROCESSOR_ARCHITECTURE%" == "x86" GOTO X86_PROG
    IF NOT EXIST "%ProgramFiles(x86)%\%MCS_ENDPOINT%" GOTO INSTALL
    exit /b 0

    :X86_PROG
    IF NOT EXIST "%ProgramFiles%\%MCS_ENDPOINT%" GOTO INSTALL
    exit /b 0

    :INSTALL
    pushd \\servername\share
    SophosSetup.exe --quiet
    Popd

  3. Amend the line pushd \\servername\share with the location of the installer package on your network.

  4. Save the file as SophosCentralEndpointInstall.bat. Save it in the desktop for the meantime.

Deploying SophosCentalEndpointInstall.bat

To deploy the script via Active Directory, you can either create a new group policy or you can edit an existing one. The steps below shows creating a new group policy:

  1. Open the Group Policy Management Console. (Open the Run window > type gpmc.msc > press Enter).
  2. Right-click on the organizational unit where you need to deploy the Sophos Central Endpoint then select Create a GPO in this domain, and Link it here...

  3. Enter a GPO name. For example, Sophos Central Windows Endpoint deployment policy.

  4. Right-click on the new GPO that you created, select Edit... This opens the Group Policy Management Editor window of the Sophos Central Windows Endpoint deployment policy GPO.

  5. Go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown). On the right-panel, double-click on Startup.

  6. Click on Show Files... button.

  7. In the window that will open, paste the SophosCentralEndpointInstall.bat that you have created as instructed above.

  8. Back in the Startup Properties window, click on Add... then Browse.

  9. The location in step 7 will be displayed which should contain the SophosCentralEndpointInstall.bat. Click on Open.

  10. Click Apply > OK.
  11. In the Group Policy Management window, click on Sophos Central Windows Endpoint deployment policy GPO.
  12. Go to the Scope tab, ensure that the Links have the correct OU.

  13. Check that the Security Filtering contains your target user group. If it does not have the user group where the Sophos Central Endpoint is intended to be deployed, click on Add... to add them.

  14. Right-click on the OU then select Group Policy Update to enforce the deployment of the new GPO.

  15. To test the GPO, open a Command Prompt on one of the target endpoints and run the command gpupdate /force then reboot the computer.

Intune deployment

For details on using Microsoft Intune to deploy the Sophos Central endpoint software, please see article 133877.

SCCM deployment

  1. Copy the file SophosSetup.exe to a shared location which is accessible by the computers you wish to install to.
  2. Launch SCCM and navigate to Software Library, select Application Management and choose Packages.
  3. Right-click on Packages and select Create Package.
  4. On the Package page of the Create Package and Program Wizard, specify the following information as required:
    • Name: Sophos Central Managed Endpoint
    • Description
    • Manufacturer
  5. Check This package contains source files. Click Browse to open the Set Source Folder dialog box where you can specify the location of the installer file SophosSetup.exe which was setup in Step 3.
  6. Click next for Standard program type and enter the following information:
    • Name: SophosSetup.exe
    • Command Line: SophosSetup.exe
      Note: An example command line might be: SophosSetup.exe --quiet
    • Program can run: Only when a user is logged on
    • Run mode: Run with administrative rights
    • Drive mode: Runs with UNC name
    • Run and Start-up fields are optional
  7. On the Requirements section, create a requirement rule that the package runs only on supported Windows platforms.
  8. Run another program first, Estimated disk space and Maximum allowed run time (minutes) are optional.
  9. Complete the wizard to finish creating the package.
  10. The package is now ready to be deployed to your computers.

Related information

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

Article appears in the following topics

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

Sophos Footer