1. Purpose of the article
This article will guide you how to deploy Sophos Endpoint software with Group Policy, this method is often applied to uninstall multiple computers at the same time and does not affect the user.
2. Network diagram, configuration scenario and steps to be taken
2.1 Network diagram
The network map has the following components:
- Sophos XG devices will connect to the internet via static ip 113.171.48.21.
- The Sophos XG device is a DHCP provider with the network layer 172.16.16.0/24 and the LAN port ip address being 172.16.16.16/24.
- Under the Sophos XG device is a server domain controller named dc01.testlab.vn with ip 172.16.16.100/24 and a PC that has been john domain named Client1.testlab.vn, has ip 172.16.16.101/24, currently importing domain account is michael in OU IT and having Sophos Endpoint installed.
2.2 Scenario
We will perform the configuration to remove the Sophos Endpoint software on the Client01 machine by creating a Group Policy on the Windows Server DC01 machine and applying that policy to the Client01 machine.
2.3 What to do ?
- Create a share folder on Windows Server.
- Prepare scripts to remove Sophos Endpoint.
- Create group policy.
3. Configuration
3.1 Create a share folder on Windows Server
The first step we need to do is to create a share folder to contain the scripts file that can be used to remove the sophos endpoint so that workstations can access to execute the scripts file.
Here we will create a folder called Share on drive C of the windows server machine.
Next we will perform the configuration to share this folder by right clicking on the folder> selecting Propertise> Sharing> Advanced Sharing …> Click Share this folder> Permission> check Allow at Full Control and click OK to close tabs.
3.2 Prepare scripts to remove Sophos Endpoint
We need to prepare a script to automatically uninstall sophos endpoint implicitly without affecting the user.
We create a text file named SophosUninstall, open it and copy the following scripts to the text file and save it in the Share folder.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
net stop "SAVService" net stop "Sophos AutoUpdate Service" "C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallcli.exe" :Sophos AutoUpdate XG Endpoint (6.0.457.0) Server (6.0.457.0) MsiExec.exe /qn /X{72E136F7-3751-422E-AC7A-1B2E46391909} REBOOT=ReallySuppress MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress MsiExec.exe /qn /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} REBOOT=ReallySuppress MsiExec.exe /qn /X{E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E} REBOOT=ReallySuppress :Sophos Anti-Virus Endpoint 10.8.3.441 MsiExec.exe /qn /X{85F78DA7-8E8E-49C9-969F-A62D2B43C046} REBOOT=ReallySuppress MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress MsiExec.exe /qn /X{DFDA2077-95D0-4C5F-ACE7-41DA16639255} REBOOT=ReallySuppress MsiExec.exe /qn /X{CA3CE456-B2D9-4812-8C69-17D6980432EF} REBOOT=ReallySuppress MsiExec.exe /qn /X{CA524364-D9C5-4804-92DE-2800BDAC1AA4} REBOOT=ReallySuppress MsiExec.exe /qn /X{3B998572-90A5-4D61-9022-00B288DD755D} REBOOT=ReallySuppress MsiExec.exe /qn /X{4BAF6F55-FFE4-4A3A-8367-CC2EBB0F11C3} REBOOT=ReallySuppress MsiExec.exe /qn /X{BA8752FE-75E5-43DD-9913-23509EFEB409} REBOOT=ReallySuppress :Sophos Anti-Virus Server 10.8.4.227 MsiExec.exe /qn /X{01423865-551B-4C59-B44A-CC604BC21AF3} REBOOT=ReallySuppress MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress MsiExec.exe /qn /X{2519A41E-5D7C-429B-B2DB-1E943927CB3D} REBOOT=ReallySuppress MsiExec.exe /qn /X{6654537D-935E-41C0-A18A-C55C2BF77B7E} REBOOT=ReallySuppress :Sophos System Protection MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress :Sophos Network Threat Protection Endpoint (1.8.1555) Server (1.8.1555) MsiExec.exe /qn /X{604350BF-BE9A-4F79-B0EB-B1C22D889E2D} REBOOT=ReallySuppress :Sophos Health Endpoint (2.1.0.33) Server (2.0.6.828) MsiExec.exe /qn /X{80D18B7B-8DF1-4BCA-901F-BEC86BAE2774} REBOOT=ReallySuppress MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress MsiExec.exe /qn /X{E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745} REBOOT=ReallySuppress :Sophos Diagnostic Utility Endpoint (1.24.0.2) Server (1.24.0.2) MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress :Heartbeat MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress :Sophos Management Communications System Endpoint (4.10.423.0) Server (4.10.423.0) MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress "C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\Uninstall.exe" /uninstall /quiet :Sophos Endpoint UI Endpoint (1.7.452.0) Server (1.7.452.0) MsiExec.exe /qn /X{D29542AE-287C-42E4-AB28-3858E13C1A3E} REBOOT=ReallySuppress :Sophos Endpoint Firewall Endpoint (1.1.0.0) Server (1.1.0.0) MsiExec.exe /qn /X{2831282D-8519-4910-B339-2302840ABEF3} REBOOT=ReallySuppress :Sophos Endpoint Self Help Endpoint (2.2.17.0) Server (2.2.17.0) MsiExec.exe /qn /X{B9C2F07D-1137-4E3D-B22B-05144293EF42} REBOOT=ReallySuppress MsiExec.exe /qn /X{4EFCDD15-24A2-4D89-84A4-857D1BF68FA8} REBOOT=ReallySuppress MsiExec.exe /qn /X{BB36D9C2-6AE5-4AB2-BC91-ECD247092BD8} REBOOT=ReallySuppress :Sophos Lockdown 7.1.2 MsiExec.exe /qn /X{77F92E90-ED4F-4CFF-8F60-3E3E4AEB705C} REBOOT=ReallySuppress :Sophos Exploit Prevention Endpoint (3.7.14.40) Server (3.7.14.40) "C:\Program Files (x86)\HitmanPro.Alert\Uninstall.exe" --quiet :Sophos File Scanner Endpoint (1.5.15.0) Server (1.5.15.0) "C:\Program Files\Sophos\Sophos File Scanner\Uninstall.exe" :Sophos Standalone Engine Endpoint (1.2.24) Server (1.2.24) "C:\Program Files\Sophos\Sophos Standalone Engine\Uninstall.exe" :Sophos ML Engine Endpoint (1.2.16) Server (1.1.149) "C:\Program Files\Sophos\Sophos ML Engine\Uninstall.exe" :Sophos Endpoint Agent Endpoint (2.4.1) Server (2.2.7) "C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallgui.exe" :Sophos Clean Endpoint (3.8.6.1) Server (3.8.6.1) "C:\Program Files (x86)\Sophos\Clean\uninstall.exe" :Sophos Endpoint Defense Endpoint (2.1.3.26) Server (2.1.3.44) "C:\Program Files\Sophos\Endpoint Defense\uninstall.exe" :HitmanPro.Alert 3 (managed by Sophos) Endpoint (3.7.14.40) Server (3.7.14.40) "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall /quiet :HMPA 1.0.0.699 "C:\Program Files (x86)\HitmanPro.Alert\uninstall.exe" --quiet :HMPA 3.7.14.265 "C:\Program Files\HitmanPro\HitmanPro.exe" /uninstall /quiet :Sophos File Integrity Monitoring Server (1.0.1.11) MsiExec.exe /qn /X{425063CE-9566-43B8-AC61-F8D182828634} REBOOT=ReallySuppress :Sophos Managed Detection and Response Endpoint (1.0.1.44) "C:\Program Files\Sophos\Managed Detection and Response\SophosMDRUninstall.exe" |
After creating the SophosInstall text file, the SophosUninstall file now has a .txt extension.
To convert to a .bat file, we right click on the file> select Remane and modify the file extension from .txt to .bat.
Note if you choose Remane but the file extension does not appear for you to edit you need to do the following.
On the Share folder in the toolbar, select the View tab and check the box File name extension.
3.3 Create Group Policy
Before creating the policy we need to note that this policy is only applicable to non-user devices, so we need to move the device of the Client1 machine to the IT OU where we are applying the policy.
To switch your device open Server Manager> select Tools> Active Directory Users and Computers, the Active Directory Users and Computers table appears.
Pay attention to the OU Computer section, this is the place where the devices have been john domain.
To move these devices to the desired OU you just need to drag and drop them into the OU you moved, in this article I will move it to an IT OU.
To create a gourp policy we need to access the Group Policy Management.
To access them type Administrative in the Windows search box> select Windows Administrative Tool> select Group Policy Management.
Next go to Group Policy Management> Forest: testlab.vn> Domains> testlab.vn.
Here we will create a policy for the IT OU to create a right click on the IT OU and select Create a GPO in this domain, and Link it here…
Name the policy SophosUninstall and click OK.
After the SophosUninstall policy is created, right-click on it and choose Edit.
The Group Policy Management panel appears, accessed by the path SophosUninstall [DC01.TESTLAB.VN]> Computer Configuration> Policies> Windows Settings> Scripts (Startup / Shutdown) and double-click on Startup in the right panel.
Now the Startup Propertise panel appears, click on Show Files, at this time the Startup folder appears where the scripts will be executed, we need to copy the prepared SophosUninstall.bat scripts file into this directory.
Go back to the Startup Propertise panel, select Add> select SophosUninstall.bat and click OK to save.
Back in the Group Policy Management panel, right-click on the IT OU where the SophosUninstall policy is located and select Group Policy Update.
The Force Group Policy Update panel appears, click Yes to update the policy for the device and wait 3 seconds to complete.
When finished click Close to close the window.
Next we will go to the Client1 machine, type in the windows cmd search bar to turn on the Command Prompt.
Type the command gpupdate / force and press Enter to execute, wait about 3 seconds to complete and restart the computer for the computer to install Sophos.
Wait 10-15 to finish uninstalling Sophos Endpoint.
Leave a Reply