Cannot unintall Endpoint client - Keeps saying tamper protection is enabled

Hello James,

If you've already retrieved the tamper protection key and and entered it on the PC you're trying to remove it from, then I ran into a similar issue last week.

I had to boot into safe mode, change some registry keys to disable protection, then reboot back into safe mode to uninstall.

This is the KB about the issue

https://community.sophos.com/kb/en-us/124377

I hope this helps

thanks for the reply.  Unfortunately safe mode is not going to be an option.  We have circa 1000+ surface pro 4/5's all with bitlocker enabled.  To get in to safe mode you have to input the bitlocker key, which takes a couple of minutes to look up on Azure and if that person is offsite....

Maybe somebody from sophos can confirm, as if this is the only way we'll have to look at getting a refund as it's not something we can realistically support.

Hello James,

To clarify, disabling Tamper protection via Sophos Central should allow you to proceed with the un-installation.
In the event that there is a problem with the computer (for example, if it cannot communicate with Sophos Central), then Safe mode can be used as an alternative way to disable Tamper protection. 

Here's another way to disable tamper protection via Central and the endpoint by locally entering the TP password ---> KB119175

If the above doesn't work, I have a few questions/suggestions for you:

• Are all of your test machines presenting this behavior?
• Are there any errors listed in Central for the affected device?
• You may want to check that communication between endpoints and Central is properly taking place. Here are 2 articles that will help you set this up:
  
  Domains and ports required for communication to and from Sophos Central Admin and the Sophos Central-managed client software 
  
  'Timeout while attempting to connect to the specified address. There may be a problem with the network.' 

Please let us know the outcome or if you have any questions. 

hi barb

many thanks for the reply.

At the moment it is only one client that is having the issue.  The client is communicating with the sophos central in the fact that I can see on the computer the last activity keeps updating from when I boot/reboot the pc.  It just doesn't seem to be picking up the tamper protection settings.  I have tried turning them on and off, and also sending out a new tamper protection number.  However this is the surface client, so I'm keen to try and get it working without having to resort to safe mode as realistically that's not something we can support.  I'll try your other suggestions and let you know how I get on.

Many thanks

James

just to update, it eventually picked up the fact that I had disabled tamper protection (only took half a day!), so now I've been able to uninstall the client and test pushing it out via our MDM (Intune).  However, already on the two that I have tested, they are reporting back in the sophos central that services have not started.

So, I go to try and uninstall the client through apps and features, hit uninstall, I get the little timer that just disappears then nothing happens.  So I can't uninstall the client again.

When you tried to re-install, what was in the installer log file:
C:\ProgramData\Sophos\CloudInstaller\Logs\

It maybe we need to see logs of a failing component, but that would be a start to know which component.

Regards,

Jak

i've since re-imaged that machine and we are now having issues with intune.  I'll post the logs back if it happens again, just trying to get the distribution sorted now.

I recently had this issue where sophos kept prompting for administrator and Tamper protection password to uninstall sophos and still would not uninstall sophos agent even though tamper had been disabled on Central. I also could not disable tamper on the endpoint because the GUI component that allows to disable tamper on the endpoint is missing. So I did this simple thing, logged on to my local account (not domain account) and uninstalled sophos. Smooth[:D]