Re-register computer issue - no tamper protection password

Question

We have just started using Sophos Cloud. A computer was registered using a link from the wrong persons email. We deleted that computer from the Cloud. Now we cannot re-register that computer because of tamper protection on that computer. We cannot get the password because the computer has been deleted. Is there a way to retrieve the password after to computer has been deleted? Is there a way to uninstall without the password? This is version 11.2.5 Cloud

This thread was automatically locked due to age.

Kyle Bigelow · Accepted Answer

Tried this and it worked for me: 
 PHASE1: 
 To recover a tamper protected system, you must disable Enhanced Tamper Protection. 
 Do the following: 
 Boot the system into Safe Mode. 
 Click Start > Run and type regedit and then click OK. 
 Go to the following location in the registry editor: 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to 0x00000004 
 Go to the following location in the registry editor: 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config 
 Set the following DWORD values to 0: SAVEnabled and SEDEnabled 
 Reboot the system in normal mode. 
 Taken from Article 124377 
 PHASE 2 
 Then I went to uninstall and got an uninstall error so I created a batch file with the following: 
 net stop "Sophos Anti-Virus" net stop "Sophos AutoUpdate Service" :Sophos AutoUpdate MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress :Sophos Anti-Virus (Endpoint) MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress :Sophos Anti-Virus (Server) MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress :Sophos System Protection MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress :Sophos Network Threat Protection MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress :Sophos Health MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress :SDU (1.x) MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress :Heartbeat MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress :Sophos Management Communications System MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress 
 Run that 
 PHASE 3: 
 It was still showing up in the Control Panel/Uninstall Programs which prevented installation again. Run Microsoft's fix it: 
 https://support.microsoft.com/en-us/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed 
 Choose Sophos and uninstall.

Aditya Patel · Answer

HI Danie, 
 When you have installed the Setup from Central , the software is linked to your account and also after removing the system from Sophos Central , you cannot re-register the system back . You may need to remove Endpoint and download a new copy from Central itself and Install again . When the System is deleted from central so does the logs and system information. 
 If you having issue removing the Endpoint let me know , I will DM you the solution by disabling Tamper Protection . 
 Thanks and Regards 
 Aditya Patel | Network and Security Engineer.

Aditya Patel · Answer

Hi Nathen, 
 ON your Sophos Sentral Dashboard could you check if your system is updated recently ?. Also could you send me the logs for MCSAgent inn your Program data Folder.

Aditya Patel · Answer

HI Christian, 
 I have Dm'ed you the steps.

Bonch Merdzh · Answer

https://sophos.com/kb/124377

Nick_SVRMC · Answer

I'm not sure if this has been posted before, but it worked for me. 
 
 https://community.sophos.com/kb/en-us/124377

skyisbluescreen · Answer

Hope this Helps. 
 In Sophos Central Dashboard - Navigate to the below You would seen an option to Recover Deleted Items Tamper Protection. This feature has been recently added where you see a list of deleted computer of the past.

JS · Answer

The next update to the installer will allow it to reinstall over the top of a tamper protected endpoint when the Sophos Central management account it is connected to will remain the same. This will allow unimpeded reinstalls, including if the computer has been deleted in the Sophos Central admin console. It still protects against someone trying to "take over" the client by running an installer from a different Sophos Central account; in that case the tamper protection code will be needed still. 
 
 Longer term we want to improve the uninstall process, for instance when deleting a computer or server in the admin console, it would also disable tamper protection on the endpoint the next time it is online. 
 
 Note: when we update the installer, you do not need to take action to get the benefit. "Old" copies of the installer will check for updates each time they are run and automatically download and use a newer version. For example, this means customers who have set up automated installation process do not have to update it each time we make changes. 
 
 Installer versions are recorded in the installer log file, but are not highlighted elsewhere as they are generally invisible and not important to most customers. 
 
 The exact release date for the next installer will depend on the test pass results, if all goes well it should be out this month, potentially even this week. I will post back to this thread when it is live so you know (no action will be needed to start using it, as noted above).