how to recover a remote site tamper protected system

had an issue on a remote pc that had sophos installed but device was deleted in sophos central (and more than 90 days).  Needed to uninstall sophos but first need to remove tamper protection

we use screenconnect (connectwise control) to remote control the pcs.  You should be able to use any remote control software that is installed on the pc

need to make screenconnect work in safemode

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client  create name=default type=reg_sz  data=service

once that is done

Open cmd prompt with administrator rights

To Start Windows 10 in Safe Mode with Networking

bcdedit /set {current} safeboot network

shutdown -r -t 1 to restart

after restart it should be safemode with networking and you can do the sophos items listed below to remove tamper protection

once done with everything.  you need to get back into normal mode

Open cmd prompt with administrator rights

To Start Windows 10 in Normal Mode

bcdedit /deletevalue {current} safeboot

shutdown -r -t 1

 after rebooting it should be in normal  mode then you should be able to uninstall sophos now

  1. Open Command Prompt.
  2. Type C: and press Enter.
    • Note: Your Boot drive may differ from C. If so, use a command such as DiskPart and list volume to show the available volumes.
  3. Type cd Windows\System32\drivers and press Enter.
  4. Type ren SophosED.sys SophosED.sys.old and press Enter.
  5. Type exit and press Enter.
  6. Click Continue.
  7. Once back in Windows, open Registry Editor.
  8. Back up the registry.
  9. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent  and set the Value data of Start to 0x00000004
  10. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVService  and set the Value data of Start to 0x00000004
  11. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service  and set the Value data of Start to 0x00000004
  12. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services and under every subkey in this location set the Value data of Protected to 0.
    • Example:
      • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services\SAVService and set the Value data of Protected to 0.
  13. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data of SAVEnabled and SEDEnabled to 0.
  14. Set the Value data of Enabled to 0 in the following:
    • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection
    • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection
  15. Restart the endpoint or server to turn off tamper protection completely.