In some cases, you lose tamper protection and cannot restore tamper protection on Sophos central. We need to remove the endpoint by changing the Registry.
This article guides you to change the registry on Windows 10, Windows server 2016, 2019.
Apply to Endpoint with Core Agent version 2.20.13 or higher
2 Steps to config
Access Settings > Update & Security > Recovery under Advanced start-up Click Restart now.
Select Trouble Shoot
Select Advanced Options
Select Command Prompt
Log in with your local account
Execute the following command:
- Type C: and Click Enter.( Your Boot drive may differ from C. If so, use Diskpart > list volume to show list volumes)
- Type cd Windows\System32\drivers and Click Enter.
- Type ren SophosED.sys SophosED.sys.old and Click Enter.
- Type exit and Click Enter
Select Continue and Restart the computer
2.2 Edit registry
Open Registry Editor and make the following edits. (Before editing, you need to export a backup file in case something goes wrong)
Access HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent. And edit Start value to 4.
Access HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service. And edit Start value to 4.
Access HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services. Then at each subsection in that directory, we set Protected to 0.
Continue until all subsections in that have value Protected by 0.
Access HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config. And edit SEDEnabled value to 0.
Then restart the computer. If the Sophos endpoint icon does not appear in the bottom corner of the screen anymore, we have done it successfully. Proceed to uninstall the application.
In case the following error still occurs.
Go to Registry Editor. At HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service we set Start to 2.
Then reboot the machine and uninstall
So we have successfully uninstalled Sophos Endpoint using the Registry.
Leave a Reply