Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 21 replies
  • Subscribers 6 subscribers
  • Views 7244 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PC's migrated to Win10 not reporting with Sophos server

PC_Junkie

Hey Sophos Community.  We have a mix of Windows 7 and Windows 10 clients that report into a Windows 2016 server that has the SEC running on it.  The Windows 7 clients are reporting into the SEC server but the Windows 10 clients are not.  Both batches of clients are getting their updates and all are up to date but the Win 10 clients won't report in.

I've done the normal trouble-shooting process and verified that the ports (8192 and 8194) are not being blocked by the Win firewall by checking the netstat -a on the clients and server.  Reviewing the ReportData from a couple Win 10 pc's:

01.12.2019 13:21:15 1564 I SAUAdapter - SAU ReportStatus::FinishedUpdate: Failed to read UpdateSource value in the UpdateStatus registry key.

That error is the one common item in the log files.  The SEC shows:

12/5/2019 1:46:26 PM fffffffd This computer is not yet managed. It is protected but has not yet reported back its status.

From the log file in the RMS\3\Agent\Logs dir of a Win 10 PC that isn't reporting in:

01.12.2019 13:11:15 1564 I SAUAdapter - SAU StartingUpdate has been set
01.12.2019 13:11:15 1564 I SAUAdapter - SAU IPCListener::Wait Waiting for more messages
01.12.2019 13:11:15 1564 I SAUAdapter - SAU IPCListener::Wait received message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate" />
01.12.2019 13:11:15 1564 I SAUAdapter - SAU FinishedUpdate has been set
01.12.2019 13:11:15 1564 I SAUAdapter - SAU ReportStatus::FinishedUpdate: Failed to read UpdateSource value in the UpdateStatus registry key.
01.12.2019 13:11:15 1564 I SAUAdapter - SAU Update status information saved to C:\ProgramData\Sophos\AutoUpdate\data\status\AUAdapter.xml
01.12.2019 13:11:15 1564 I SAUAdapter - SAU IPCListener::Wait Waiting for more messages

I'm at a loss as to what is the problem(s) and how to trouble-shoot it going further.  Any assistance would be appreciated.

*Edit*

This is the entry I have in the Win FW group policy as an exception for port 8192 and 8194->

8192:TCP:localsubnet:enabled:sophos  



This thread was automatically locked due to age.
Parents
  • 0

    Running Wireshark on a test PC and our SEC server.  On the SEC server, I see a lot of port 8194 traffic but port 8192 doesn't seem to be flowing (port 8192 has a lot of re-transmission requests).  Nothing on either port on the test PC.  

    I see that source ports 50630-50634 (on the test PC) not making it through.  Checking into that and will update accordingly.

    *updated*

    I forced an update and the packets are making it to the server and getting them back.  Digging deeper.

  • 0 in reply to PC_Junkie

    **UPDATE**

    After monitoring wireshark and tweaking group policies with firewall settings, I went at it a different direction.

    The issue comes down to the RMS client.  Once I uninstalled the RMS client, restarted and then "protected the computer" from the SEC server, the test PC checks-in.

    Here's my question.

    How can I uninstall the RMS client if there is a tamper protection setting on the clients?  I have the msi script done and ready to roll but I don't know how to disable the tamper protection.  Need your help with this portion.  

  • 0 in reply to PC_Junkie

    Hi PC_Junkie,

     

    You can disable tamper protection by following the link here.

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
Reply Children
No Data
Unfiltered HTML