Recap: Getting started with Sophos Endpoint - Session 2

On March 18, we hosted session 2 of our 4-part Getting started with Sophos Endpoint webinar series. We covered manual and scripted deployment of Sophos Endpoint to Windows and Mac devices. 

For those unable to attend or are looking to revisit, you can find the webinar recording below. Additional resources can be found at the bottom of this post.
 

 
Interested in learning more?

This was the second of a 4-part series designed to enhance your journey with Sophos Endpoint. Future sessions include:   

• Session 3: Configure your endpoint protection policies, April 16, 2025 
• Session 4: Configure additional Sophos Endpoint features, May 13, 2025  

REGISTER NOW

Can’t attend live? Register anyway to receive the recording after the live event.   

 Related resources

• Removal of inactive devices documentation
• Filter inactive AD users documentation
• Creating LDAP filters
• Filtering Entra ID Synchronized Users
• MDR Dashboard Details
  

Additional Support resources

• Support Portal – for access to product resources, knowledge base articles, documentation, and much more.
• Sophos Status – sign up for updates on system and product statuses and maintenance.
• Sophos Techvids – for troubleshooting guides, product demos, and foundational knowledge videos.

Follow-up Q&A

1. Can an Update Cache or Message Relay be installed on an existing server or does it have to be a separate server?
   1. You can deploy an Update Cache and Message Relay to an existing Windows system with Sophos Endpoint/Server. Windows workstation OS’ only support Cache, Windows Server OS’ support both Cache and Relay.
      
      
2. Can we switch from on-prem sync to Entra ID sync seamlessly or what do we have to look out for?
   1. It’s important that you first understand that we synchronize different information from Microsoft Entra ID than from AD. If you want to use a directory source to manage devices and device groups, you can only use AD. Microsoft Entra ID doesn't support devices and device groups. You can choose to synchronize Entra ID only, or AD for devices and device groups and Microsoft Entra ID for users and user groups for the same domain. See Migrate to Microsoft Entra ID.
      
      
3. Can you explain again how Sophos MDR integrates with Sophos Central, including its key benefits for threat detection and response?
   1. Sophos MDR integrates seamlessly with various integrations to allow the collection of logging and telemetry information. This allows us to:
      1. Have greater visibility into your environment
      2. Be able to provide better root cause analysis reports in the event the threat generated from one of the third-party integrations
      3. Provide quicker alerting (Ex. Threat on network, but nothing touched endpoint yet since attacker is surveying)
      4. Assess any suspicious activity in your cloud environment
         
         
4. Could I have assistance offline because I have issue when connecting to my account?
   1. If you require 1:1 assistance, we suggest reaching out to Sophos Support via the Support Portal, or by reaching out via your regional support phone number.
      
      
5. For the MDR setup, we have a Central Estate with our customers in as Sub Estates. Can we configure MDR options on the Main Estate or will it need doing on each individual Sub Estate?
   1. You can configure MDR options directly on Enterprise Dashboard and the settings will match for your individual sub-estates. See Sophos Central Enterprise MDR documentation. You can also configure MDR options for your customers if you’re a Managed Service Provider. See Sophos Central Partner MDR documentation.
      
      
6. How can we perform the sync in an environment multi-tenant with Azure?
   1. You can configure multiple Entra ID syncs to Sophos Central, one per domain. See Change Microsoft Entra ID source configuration
      
      
7. How to get computer serial numbers registered in SOPHOS?
   1. If you’re licensed for Sophos XDR/MDR, you can create a custom Live Discover query. See Edit or create queries documentation. The osquery you can create is “SELECT hardware_serial AS SerialNumber FROM system_info”.
      
      
8. I have a user on a local domain and also a user in Entra ID, what do you suggest, should the configuration be done in both systems or only in one?
   1. If you have a hybrid setup, we recommend you sync your local AD into Entra ID and perform a sync from Entra ID to Sophos Central. This will ensure that Entra ID has a full scope of your environment and Sophos Central will mirror that.
      
      
9. If I implement Active Directory in a company that currently only uses Endpoint and all accounts are local, is it possible to revert the process in case of an error during synchronization?
   1. If there are errors during synchronization, no data should be synced over. If you want to undo the data synced from AD, you can do so by Purging AD data. See Purge synchronized Active Directory data documentation.
      
      
10. If Sophos was originally not setup with AD sync, what would be the effect of setting up the sync on the existing users and computers in Sophos?
    1. Existing users and computers should automatically link together when AD sync is run.
       
       
11. In case that Update Cache and Message Relay server is unavailable do the clients communicate directly to Central?
    1. Clients will first attempt to connect to the closest cache and relay for updates/communications. If this fails it will attempt to connect to other available cache/relays. If none are available, the client will attempt to connect out to Sophos Central via OS configured proxy. If this fails the client will attempt to connect to Sophos Central directly.
       
       
12. My AD Sync is not finding the users container, can you show me the filter please?
    1. It’s a common misconfiguration to include OU=Users in the search base. If you’re looking to include the default AD Users container, ensure that you’re using CN=Users,DC=domain,DC=suffix rather than OU=Users. If you’re still encountering issues we encourage you to reach out to Sophos Support via the Support Portal, or via your regional support phone number.
       
       
13. Recently we have had some devices that have "fallen off" and become unmanaged devices despite having the Endpoint installed, they are unable to be updated and have lost the tamper protection.  Could this be related to the setting of excluding disabled devices in the sync settings?  Perhaps in a case where the device was disabled for a longer period of time?
    1. It’s unlikely that this is related to AD sync as we do not remove synced devices from Central if they’re excluded from the sync. Computers should continue to update and communicate with Sophos Central even if they’re no longer synced. Endpoints only lose tamper protection if they have been deleted from Sophos Central or their license has expired. You can open up registry editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\SharedState\UserInterface\[TIMESTAMP]\ to see the time and reason. If you require further assistance, we encourage you to reach out to Sophos Support via the Support Portal, or via your regional support phone number.
       
       
14. We sync AD with Sophos but it's doesn't update users automatically.
    1. By default, the AD Sync tool is configured to only run the sync when you click Preview and Sync on the tool. Check your tool configuration to confirm that AD sync has been configured to run on a schedule under the last tab “Sync Schedule”.
       
       
15. Where do you find the synchronization logs for active directory connector?
    1. Logs for the AD Sync Utility can be found on the system where it is installed in the directory: C:\ProgramData\Sophos\Sophos Cloud AD Sync\Logs\