Sophos Central Endpoint: Remotely fixing "Failed to Protect Computer" or "Missing Services"

Does anyone have any experience in remotely fixing computers that are reporting to Sophos Central with an alert of "Failed to Protect Computer" or showing a bad status with "Services Missing or not Running"? When I say remotely, these are computers spread across many customer sites (schools), and in most cases they are domain based computers, and we do have admin access to on-site servers, so i am hoping that it might be possible to do something with scripting and group policy. I'm thinking that I might be able to script the steps in this article Sophos Central: Sophos Endpoint Self Help - Services for the missing services, and script a "re-install" for computers where absolutely no services are listed following an initial attempt at installation. The product we are installing is Intercept X Advanced. By the way, does anyone know where there is an official list of the services that should be present and running for the Sophos Intercept X Advanced product for Windows endpoints? 

Anyway, any practical advice from the community will be greatly appreciated.

Services that I think are the ones we should see for Sophos Intercept X Example of what we see for some computers - lots of "old" services?

Edited TAGs
[edited by: Gladys at 4:23 AM (GMT -8) on 19 Dec 2022]
  • Hello Russell,

    Thank you for reaching the community forum.

    There are many variables that may render you to perform a remote fix, but the self-help tool is what you're looking for in such issues with Services not running/ missing. Creating a script for this is of great help in dealing with such issues listed in the article, but it may not help if the issue is outside of the scope listed on it and require further investigations. Seeing a bad status device on your Dashboard has a lot to consider, as many causes may trigger it that can't be solved remotely via a script, so the answer to your question may depend on what issue you're currently dealing with. Still, a total remote fix may not be possible through the script, but our support team is what instances. 

    On the other hand, based on what I can see on the screenshot you've shared, It looks like those devices you see with lots of old services may have some issues with AutoUpdate services and weren't able to get the latest update which caused to report a bad status on your central dashboard. Dealing with such issues needs further investigation and log-checking to pinpoint the cause of it, especially since each environment of your customers is unique and has a different set from one another. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi Russell,
    The first thing you'll need to do is get the AutoUpdate Service running - Just getting this sorted may fix all the problems, however, if that is not the case move onto the article you mentioned in your post and the section on Service is Missing.

    As the MCS Service looks to be running you should be able to turn off Tamper Protection.

    Do you have XDR? I used Live Response yesterday to remotely fix a device that had the same services listed as missing. 90 minutes later the device is showing as green in Central and all fixed. I need to do both tasks above on this particualar workstation. I've never needed to script the fix but guess it is possble using the two articles.

    Best of luck.


  • Hi Andy,

    Thanks for the reply and the really helpful and practical information. I have done some investigation on a computer I have remote access to that is showing a bad status (missing HitmanPro Alert Service) and I can see the Autoupdate Service is missing, as well as the HitmanPro service, when I check in the Windows Services console (services.msc). This service is present and running on computers with a good status, even though the Autoupdate Service no longer seems to be a service that is listed on the status tab for devices with a good status in Sophos Central. So, getting the Autoupdate service installed and running certainly seems to be the first step, as you suggest.

    Unfortunately, I don't have XDR, so I don't have that ability to remotely fix computers. Hence the idea of using scripts in conjunction with group policy where I can.

    Once again, thanks for your insights. It has got me moving in the right direction I think.

    Kind regards,