This article describes how to recover a tamper protected system if the tamper protection password is lost and the client cannot receive a new policy with a known password.
Applies to the following Sophos products and versions Sophos Endpoint Security and ControlCentral Endpoint Advanced 11.5.11Central Endpoint Standard 11.5.11
It is a good practice to backup the registry first before making any changes in it.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
Starting 20th January 2018, the Tamper Protection passwords can now be retrieved for deleted endpoints and servers from within Sophos Central. Follow the steps below to obtain this information:
Note: The report will display endpoints and servers that have been deleted over the previous 60 days. For release, the start date for displaying any deleted endpoints and servers is 9th December 2017.
If you do not have access to Sophos Central, perform the following steps to disable the Enhanced Tamper Protection:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data of SAVEnabled and SEDEnabled to 0.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.