Sophos software being removed automatically

We are using Sophos Central and use basic Endpoint Protection, InterceptX Advanced and Encryption - Windows 10 Education 21H2 clients.

Desktops get Endpoint protection + InterceptX

Laptops get Endpoint protection, InterceptX and Encryption.

I now have hundreds of clients that only have the 'Core Agent' installed. Machines that I iinstalled either InterceptX or Encryption on have had those products removed, sometimes after just one reboot. The clients are not logging this behaviour. I can confirm that all products are correctly assigned in Sophos Central and that no policies have been edited for at least 12 months.

Is anybody else seeing anything like this? Regarding the encryption - Sophos Central is stating that Encryption is not installed (as is the client) yet the Windows Bitlocker component is still on the laptop and accepting the user's startup PIN.

I'm at a loss as to what is going on.

Edit Tags
[edited by: GlennSen at 8:06 AM (GMT -8) on 12 Mar 2023]

Top Replies

Marcel 6 months ago +1

I have seen this behavior only in environments where the license had been expired for a while. Can you please verify that you have a valid license - c lick your account name (upper right of the user interface…

0 Mr J Shields 6 months ago

Apologies - could somebody move this to the Sophos Central section please? Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marcel 6 months ago

I have seen this behavior only in environments where the license had been expired for a while. Can you please verify that you have a valid license - click your account name (upper right of the user interface), select Licensing. .
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Mr J Shields 6 months ago in reply to Marcel

Thanks Marcel. According to Sophos Central I can confirm that our current licence runs until Mar 31, 2023
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marcel 6 months ago in reply to Mr J Shields

In that case I would recommend to open a support case via the support portal: https://support.sophos.com/. In the lower right from the support portal you will also see an option to chat directly with the support team.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 GlennSen 6 months ago

Thank you for reaching the Community Forum,

Can you confirm if the tamper protection, which can be found on your Global policy, is Turned On? If not, you may need to turn it on to secure your endpoint application from sudden removal. This setting should be turned On as part of the recommended settings.
In addition, can you confirm if there’s any uninstall script running in the background that may cause this sudden uninstallation of your endpoint application? You may need to verify this on your servers or use Autoruns.exe and run it on the affected device to see. Mostly you need to check the script under Scheduled task.

BitLocker will still work for your Device encryption, even if device encryption is not installed on your system. However, the downside is that you won't be able to manage on your Sophos central, and retrieving the recovery key may be impossible if the key is not saved on the local desktop or is lost.
You need tp push the device encryption via Sophos central if you wish to start managing them.

Glenn ArchieSeñas (GlennSen)

Global Community Support Engineer | Global Community and Digital Customer Support

Connect, Engage, Earn Rewards - Join the Sophos Community
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel