Re-register computer issue - no tamper protection password

We have just started using Sophos Cloud. A computer was registered using a link from the wrong persons email. We deleted that computer from the Cloud. Now we cannot re-register that computer because of tamper protection on that computer. We cannot get the password because the computer has been deleted. Is there a way to retrieve the password after to computer has been deleted? Is there a way to uninstall without the password? This is version 11.2.5 Cloud

  • The following batch file should do it:

    www.sophos.com/.../122126.aspx

    Regards,
    Jak
  • How do you do this for a Mac?  The key is that I do not have the Tamper Protection password as the system was already deleted from the cloud.  I need to either uninstall the software from the computer or re-register it to my cloud account.

  • I am using Sophos Central.

    I removed the Sophos software from my Mac and Deleted the Mac Device from within the Central console.

    Now I cannot add the spesific Mac device back to Central anymore and I cannot find how to uninstall the Mac endpoint client. Removing/Deleting Sophos from Applications does not uninstall it.

    How to proceed? Most Sophos documents still refer to Endpoint Advanced with SEC or the previous Sophos cloud solution. When will Central be uploaded and updated?

  • In reply to Danie de Jager:

    I find the uninstall option B 

    https://community.sophos.com/kb/pl-pl/120838

    showing me the uninstall program but it asks for Tamper protection. I need to add the Mac back to Central so I can manage it but how do I do that once it is deleted?

  • In reply to Danie de Jager:

    HI Danie, 

    When you have installed the Setup from Central , the software is linked to your account and also after removing the system from Sophos Central , you cannot re-register the system back . You may need to remove Endpoint and download a new copy from Central itself and Install again . When the System is deleted from central so does the logs and system information.

    If you having issue removing the Endpoint let me know  , I will DM you the solution by disabling Tamper Protection . 

    Thanks and Regards

    Aditya Patel | Network and Security Engineer.

  • In reply to Aditya Patel:

    I have this exact same issue.  Cloud Central doesn't show the endpoint and I can't uninstall in order to re-register.  Please DM me the same information so I can proceed.

  • Tried this and it worked for me:

    PHASE1:

    To recover a tamper protected system, you must disable Enhanced Tamper Protection.

    Do the following:

         Boot the system into Safe Mode.

        Click Start > Run and type regedit and then click OK.

        Go to the following location in the registry editor:

         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to 0x00000004

        Go to the following location in the registry editor:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config

        Set the following DWORD values to 0: SAVEnabled and SEDEnabled

        Reboot the system in normal mode.

     Taken from Article 124377

    PHASE 2

    Then I went to uninstall and got an uninstall error so I created a batch file with the following:

    net stop "Sophos Anti-Virus"
    net stop "Sophos AutoUpdate Service"
    :Sophos AutoUpdate
    MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress
    :Sophos Anti-Virus (Endpoint)
    MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress
    :Sophos Anti-Virus (Server)
    MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress
    :Sophos System Protection
    MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress
    :Sophos Network Threat Protection
    MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress
    :Sophos Health
    MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress
    :SDU (1.x)
    MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress
    :Heartbeat
    MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress
    :Sophos Management Communications System
    MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress

    Run that

    PHASE 3:

    It was still showing up in the Control Panel/Uninstall Programs which prevented installation again.  Run Microsoft's fix it:

    https://support.microsoft.com/en-us/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed

    Choose Sophos and uninstall. 

  • In reply to Aditya Patel:

    I am on a mac with a trial version and need the tamper protection password please.  Can you DM?  thanks 

  • I have the same/similiar issue as above on a Mac (OS 10.11.6).

    Downloaded a trial of Sophos Cloud.

    Deployed Endpoint Protection to one computer.

    Didn't like software so I deleted the computer/device from Sophos Central -- hoping that would turn off on computer.

    I did this BEFORE disabling Tamper Protection on Sophos Central.

    ((I did not nominate a tamper protection password on Central, tamper protection (TP) was on by default)).

    Now my machine will not let me use the Sophos Remove/Uninstaller without the TP password.

    I have turned off tamper protection on Sophos Central but it does not update my device as they are no longer linked.

    The computer is stuck with TP password that was never nominated and downloading/reinstalling Sophos again does not result in reconnection of the device on Sophos Central.

    So I'm in a loop because I did things out of order. Sophos Central is not connected to device. Device is stuck in a state where tamper protection is permanently on. I dont have the TP password.

    I've tried some of the command line suggestions in various threads and Knowledge Boards on this site with no success.

    Is there a way to remove Sophos without the TP password OR is there a way to reconnect my device to central to adjust settings?

    Very frustrated with this software.

  • In reply to Owen Lewis:

    HI Owen , 

    I will share you the steps and would recommend you not to share with anyone else . 

    Thanks and Regards

    Aditya Patel

  • I also have the same issue that Owen explains.  Can you send me some other actions as I have logged a support call but still not heard anything?

     

    Thanks,

     

    Gavin

  • In reply to Gavin Bidgood:

    HI Gavin, 

    I have provided the steps for the same .

    Thanks and Regards

    Aditya Patel

  • In reply to Aditya Patel:

    Thanks Aditya, all sorted. Phew!!!

  • In reply to Aditya Patel:

    Hi Aditya,

    I'm having exactly the same issue as Gavin and Owen explained above and I can't sort it out...

    Deleted my mac from the computer list in Sophos central and can't remove Sophos, because of the tamper protection password (which can only be changed on the computer list).

     

    Is it possible to help me out with this?

     

    Thanks & kind regards,

    Pieter,