there's Tamper Protection and Endpoint Defense (SED) aka Enhanced Tamper Protection. From the SED Overview article:
You must disable Sophos Endpoint Defense: ....
to re-protect a tamper protected client from Enterprise Console. If you try to re-protect an endpoint where Sophos Endpoint Defense is enabled, you will get an 0x00000082: The installation could not be started error.
