Update location changes do not persist

Hello everyone,

we've got some endpoints which are not connected to the local network of our company the whole time.

To make them able to update I've changed the Update location for Sophos AutoUpdate by editing the AllowLocalConfig line in file  %ProgramData%\Sophos\AutoUpdate\Config\iconn.cfg and setting the update location in AutoUpdate to Sophos with the corresponding credentials.

All done according to this https://support.sophos.com/support/s/article/KB-000033604?language=en_US KB (and some Posts in this community).

Some time ago the automatic updates on some endpoints stopped working and I've figured out that I can still change the Update location in Sophos AutoUpdate and successfully update them after that. But after reboot the settings are lost and the update fails.

The KB mentioned above seems to be up to date, so is this a bug or is there a new way to change the connection settings?

The affected endpoints are running Sophos Endpoint Security and Control version 10.8 with AutoUpdate version 5.16.37.

Thanks in advance for Your help.

Best regards,


  • The SEC policy will be reapplied by the Agent at startup.  Can you not specify these locations and primary and secondary in the product?

    Can you provide example locations?

    Is the primary set to be a UNC path?

    The secondary is set to Sophos?

    Is the failover to Sophos not helpful?

  • I'm trying to set the primary location to Sophos. By default, it is set to a UNC path.

    Neither the primary nor the secondary location setting does persist a reboot, so there is no failover to Sophos.

  • The primary is not designed to be Sophos. It can be a http or unc path to your update location. The secondary can be Sophos. Surely for those computers that can’t contact your primary they will fail over to Sophos and then work. I’m not sure what the issue is.

  • Well it worked for us for years this way. Anyway I know it might not be best practice to have no externally accessible update server/path.

    I just want to mention that the standalone installer of Sophos Endpoint Security and Control uses the same configuration (which it is not designed to do?): It uses Sophos primary (and only) update location, with the credentials provided during installation.

    Installing it standalone on another machine I've found a workaround, which might be useful for anybody trying to do it the same way:

    When entering the credentials in the configuration window of AutoUpdate, a file named "iconnlocal.cfg" is created. Since some time this file seems to be removed (by Sophos AutoUpdate?) on reboot so the settings are lost. To keep the settings enter the credentials in the configuration window so that a iconnlocal.cfg is created. Then copy the lines of that file below [PPI.WebConfig_Primary] to the same section of the iconn.cfg file.

    Whether it is supposed to do so or not, this keeps the changes after reboot and - as mentioned above - it is the same way the standalone installer does, so it can't be too bad it think.