This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to disable Sophos Endpoint Defense without booting into safe mode

I recently deployed the new Sophos Central Endpoint to over 300 workstations to replace our older Sophos Endpoint. Approximately 20% of the workstations failed during install and were left with these three programs listed in Programs and Features:

  • Sophos AutoUpdate XG
  • Sophos Endpoint Defense
  • Sophos Management Communications System

When I attempt to reinstall the Sophos Central Endpoint on one of these workstations, I get the following error: You must disable Sophos Tamper Protection before you continue. Contact your administrator or see Sophos KBA 119175.

When I attempt to remove the Sophos Endpoint Defense application from Programs and Features, I get the same error. I have attempted to disable Tamper Protection through Sophos Central as well but this has no effect.

I contacted support and was referred to Sophos KBA 124377 which explains how to resolve this issue by booting into safe mode, modifying the registry to disable Sophos Endpoint Defense, and then booting back into Windows. Unfortunately, this is not a workable solution since we have over 60 affected clients all over the country. I have tried modifying the registry keys mentioned in KBA 124337 using Group Policy (both using startup scripts and using Registry Group Policy Preferences) but this has no effect because tamper protection is enabled before they run which locks down the registry keys I need to change.

Anyone have any thoughts on how I can get Sophos Central Endpoint reinstalled on these workstations without having to boot each one into safe mode and manually modifying the registry? Or how to redeploy the client to these workstations since they do have the AutoUpdate component?



This thread was automatically locked due to age.
Parents
  • Hello Christopher,

    Would it be possible to confirm the method of migration you have used here to understand the process that has happened here?

    Additionally if Sophos Management Communications System is on the system do you know if the endpoint has created an entry for itself in the central dashboard? If so can you disable Tamper Protection from the console and does this feedback to the endpoint?

    I would also highly recommend raising a case with Sophos Support if you have not already. If you have can you message me the case reference?

    https://secure2.sophos.com/en-us/support/contact-support.aspx

  • I performed the migrations using two different methods. First, I migrated about 30 clients using the Sophos Cloud Migration Tool and of those, 3 were failures. I migrated the remainder through SCCM using a deployment packager called PowerShell App Deployment Toolkit. The package took three actions, first uninstalling Sophos Client Firewall (if present), then running "SophosInstall.exe -q -tps remove" and forcing a reboot at the end.

    Yes, all affected installs are registered in Sophos Central and communicating with the portal. Once a day, they try to update the agent and fail. Interestingly, they only display "medium" status even though they're completely missing AV and web filtering. I did try disabling tamper protection through Sophos Central on multiple clients but it does not deactivate Endpoint Defense.

    I do have a case open with Sophos and will send you the number.

    Thank you for your help.

Reply
  • I performed the migrations using two different methods. First, I migrated about 30 clients using the Sophos Cloud Migration Tool and of those, 3 were failures. I migrated the remainder through SCCM using a deployment packager called PowerShell App Deployment Toolkit. The package took three actions, first uninstalling Sophos Client Firewall (if present), then running "SophosInstall.exe -q -tps remove" and forcing a reboot at the end.

    Yes, all affected installs are registered in Sophos Central and communicating with the portal. Once a day, they try to update the agent and fail. Interestingly, they only display "medium" status even though they're completely missing AV and web filtering. I did try disabling tamper protection through Sophos Central on multiple clients but it does not deactivate Endpoint Defense.

    I do have a case open with Sophos and will send you the number.

    Thank you for your help.

Children
No Data