This knowledge base article describes how to recover a tamper protected Windows system if the tamper protection password is lost and the client cannot receive a new policy with a known password.
For instructions on recovering a tamper protected Mac endpoint, please contact Sophos support for further assistance.
Applies to the following Sophos products and versions Sophos Endpoint Security and ControlCentral Endpoint Advanced 11.5.11Central Endpoint Standard 11.5.11
Backup the registry before making any changes.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
Starting 20th January 2018, the Tamper Protection passwords can now be retrieved for deleted endpoints and servers from within Sophos Central. Follow the steps below to obtain this information:
Note: The report will display endpoints and servers that have been deleted over the previous 60 days.
If you do not have access to Sophos Central, perform the following steps to disable the Enhanced Tamper Protection:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data of SAVEnabled and SEDEnabled to 0.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.