Instructions on how to remove Sophos Endpoint when losing Tamper Protection

1. Goal of the article

As you know to remove Sophos Endpoint software we need to have Tamper Protection password or disable Tamper Protection on Sophos Central for that computer.

So what if we accidentally delete that device on Sophos Central, at this point we will not be able to get the Tamper Protection password or turn it off.

Through this article, techbast will guide you how to uninstall Sophos Endpoint when encountering the above cases.

2. Configuration scenarios

We will prepare 2 computers running Windows 10 with Sophos Endpoint installed, DESKTOP-6C2AIT6 and PC01.

We then delete the device from Sophos Central as well. And perform uninstall Sophos Endpoint on those 2 computers.

We will have 2 ways to remove, the first is to remove with Recover Tamper Protection password and the second way is to enter Safe Mode to remove.

Method 1 will be done on PC01 and method 2 will be done on computer DESKTOP-6C2AIT6.

3. Configuration

3.1 Remove Sophos Endpoint by Recover Tamper Protection password

Recover Tamper Protection password is a very convenient little feature of Sophos that will save Tamper Protection passwords of deleted devices or we accidentally delete them.

Also note that Recover Tamper Protection password will only save passwords for 60 days from the date of deletion.

To perform the first step we need to remove PC01 from Sophos Central.

To delete login to Sophos Central with admin account> Device> select PC01> press Delete twice.

After deleting the device, the deleted device will be saved in the Recover Tamper Protection password.

Go to Logs & Reports > Report > Endpoint & Server Protection > Recover Tamper Protection passwords.

After entering we will see the PC01 device that we just deleted, to get back Tamper Protection for this device we click on View password details it will display we just need to copy this password.

Next, log on to PC01, double click on the Sophos icon on the clock side of the computer.

Sophos panel appears, click on Admin sign-in.

Enter the password you just copied into the box and click Admin sign-in.

After logging in, click on Settings> check Override Sophos Central Policy for up to 4 hours to troubleshoot> left click on the switch next to Tamper Protection to disable this feature.

Once turned off, go to Control Panel> Programs> Programs and Features> right click on Sophos Endpoint Agent> select Uninstall to uninstall.

Next select Uninstall to uninstall Sophos Endpoint Agent.

Wait about 5 minutes for the uninstallation to complete.

After successful uninstallation, click Close and the computer will automatically restart.

3.2 Uninstall using Safe Mode on Windows.

This uninstall method is only used when you accidentally erase the device on Sophos Central and it is no longer saved on the Recover Tamper Protection password because you have left it for more than 60 days from the date of deletion.

To do this you need to access Safe Mode on Windows.

I will do this on the DESKTOP-6C2AIT6 computer

You can perform into Safe Mode by Restart your computer and press F8 or Shift + F8.

There is also a way for you to enter Safe Mode as follows.

In the Windows search box, type System Configuration and turn it on.

Switch to the Boot tab in the Boot Option section, select Safe Mode Minimal and click OK to save and click Restart to boot into Safe mode.

This is the screen for Safe Mode.

Next in the Windows search box type services.msc and open it up.

Find the Sophos Anti-Virus service and select Properties.

Select Disable at Startup type and click OK

Next, we type in the search box regedit.exe and turn it on.

Go to the path HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Sophos MCS Agent and set the value of Start to 0x00000004

Next go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Sophos Endpoint Defense \ TamperProtection \ Config and set SAVEnabled and SEDEnabled to 0.

Next we need to set the value of Enable to 0 according to the following path:

32 bit : HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection

64 bit : HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection

Here we will configure the 64 bit path used by Windows 10 is 64 bit.

After the configuration is complete, Tamper Protection will be turned off after we restart the computer in normal mode.

For machines using the F8 or Shift + F8 key combination we just need to Restart the machine while for machines entering Safe Mode using System Configuration like techbast just above we will type System Configuration in the search box.

On the Boot tab, we will uncheck Safe Mode under Boot options.

Click OK and Restart to restart the computer.

After restarting the computer in normal mode we can remove Sophos Endpoint because Tamper Protection is disabled.

To uninstall go to Control Panel> Programs> Programs and Features> right click on Sophos Endpoint Agent> select Uninstall to uninstall.

Next select Uninstall to uninstall Sophos Endpoint Agent.

Wait about 5 minutes for the uninstallation to complete.

After successful uninstallation, click Close and the computer will automatically restart.

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.