Sophos software being removed automatically

We are using Sophos Central and use basic Endpoint Protection, InterceptX Advanced and Encryption - Windows 10 Education 21H2 clients.

Desktops get Endpoint protection + InterceptX

Laptops get Endpoint protection, InterceptX and Encryption.

I now have hundreds of clients that only have the 'Core Agent' installed. Machines that I iinstalled either InterceptX or Encryption on have had those products removed, sometimes after just one reboot. The clients are not logging this behaviour.  I can confirm that all products are correctly assigned in Sophos Central and that no policies have been edited for at least 12 months.

Is anybody else seeing anything like this? Regarding the encryption - Sophos Central is stating that Encryption is not installed (as is the client) yet the Windows Bitlocker component is still on the laptop and accepting the user's startup PIN.

I'm at a loss as to what is going on.



Edit Tags
[edited by: GlennSen at 8:06 AM (GMT -8) on 12 Mar 2023]
Parents
  • Thank you for reaching the Community Forum,

    Can you confirm if the tamper protection, which can be found on your Global policy, is Turned On? If not, you may need to turn it on to secure your endpoint application from sudden removal. This setting should be turned On as part of the recommended settings. 
    In addition, can you confirm if there’s any uninstall script running in the background that may cause this sudden uninstallation of your endpoint application? You may need to verify this on your servers or use Autoruns.exe and run it on the affected device to see. Mostly you need to check the script under Scheduled task. 

    BitLocker will still work for your Device encryption, even if device encryption is not installed on your system. However, the downside is that you won't be able to manage on your Sophos central, and retrieving the recovery key may be impossible if the key is not saved on the local desktop or is lost. 
    You need tp push the device encryption via Sophos central if you wish to start managing them. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Thank you for reaching the Community Forum,

    Can you confirm if the tamper protection, which can be found on your Global policy, is Turned On? If not, you may need to turn it on to secure your endpoint application from sudden removal. This setting should be turned On as part of the recommended settings. 
    In addition, can you confirm if there’s any uninstall script running in the background that may cause this sudden uninstallation of your endpoint application? You may need to verify this on your servers or use Autoruns.exe and run it on the affected device to see. Mostly you need to check the script under Scheduled task. 

    BitLocker will still work for your Device encryption, even if device encryption is not installed on your system. However, the downside is that you won't be able to manage on your Sophos central, and retrieving the recovery key may be impossible if the key is not saved on the local desktop or is lost. 
    You need tp push the device encryption via Sophos central if you wish to start managing them. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data