Unable to reset Tamper Protection on non administrated devices


we have a couple of devices which already have the ednpoint protection installed, but are shown under the topic not administrated devices.

I already tried the following workaround: https://support.sophos.com/support/s/article/KB-000036125?language=en_US#Windows_10

Problem is, that when I select the command prompt there is no admin account to select. I double checked that there is a local admin account which was also logged on to this computer.

Does anyone had the same problem or maybe a solution other than reinstall the devices?

Thanks in advance.

Edited TAGs
[edited by: Qoosh at 11:26 PM (GMT -7) on 1 Jul 2022]
  • Hi Quasar,

    Thank you for reaching us. In the article that you've shared have you tried manually disabling tamper protection via safe mode? Follow the steps listed under "For Core Agent 2.10.8 and earlier" and let us know. Once TP is disabled, you can proceed with booting the device via normal mode. If you wish to register the device on your sophos central where you manage your endpoint you need to download a fresh package and run it via elevated command prompt access together with the switch "--register only".
    This will register your endpoint device to your managed central account without performing re-installation. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi GlennSen,

    I just tried your suggested steps. The outcome wasn´t that promising.

    First I tried the steps under "For Core Agent 2.10.8 and earlier", which asked to set the startup type of the Sophos Anti-Virus Service to disabled. That didn´t work. Instead I got displayed a "Access restricted" message even with if I tried it with the local administrator.

    Running the Client.exe with the switch --registeronly only showed the notification that tamper protection is not turned off.

  • Hello Quasar,

    Was it done via safe mode? You won't be able to change anything yet if you're running via normal mode.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hello GlennSenn,

    yes. I just tried it again with the same outcome.

Reply Children
  • Another option that may work is to use bootable media to browse the files on your device. Using this method, you can browse through the files on the main system as though it were a locally attached drive. Alternatively, you could also remove the hard drive from the main device if this is easier for you, or if you have a way to connect the drive to another system.

    The only step you will need to perform while using the bootable media is as follows.

    1. Go to C:\Windows\System32\drivers 
    2. Rename SophosED.sys SophosED.sys.old 

    Once completed, you can boot the device up normally and proceed through the remaining steps in the KBA from step 10.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids