Sometimes it fails when you try to remove Sophos Endpoint Protection, for some weird reason tamper protection get’s messed up, and keep telling you that the entered code is invalid or maybe you lost it, due to cancellation of the Sophos Central Account, this can help you get things going again:
Overview
This article describes how to recover a tamper protected system if the tamper protection password is lost and the client cannot receive a new policy with a known password.
The following sections are covered:
Applies to the following Sophos products and versions
Central Windows Endpoint
Sophos Endpoint Security and Control
How to recover a tamper protected system
Remember to do a backup of the registry before attempting these procedures.
Sophos Enterprise Console managed client
To recover a tamper protected system, you must disable Enhanced Tamper Protection, do the following:
- Boot the system into Safe Mode.
- Click Start > Run > type services.msc > right-click Sophos Anti-Virus service > Properties > set the Startup type to Disabled > then click OK.
- Click Start > Run > type regedit and then click OK.
- Go to the following location in the registry editor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config - Set the following DWORD values to
0:SAVEnabledandSEDEnabled - Go to the following location in the registry editor:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtectionand set the REG_DWORDEnabledto0. - Reboot the system in normal mode.
Sophos Central managed client
From 20th January 2018 the Tamper Protection passwords can be retrieved for deleted endpoints/servers from within Sophos Central. To obtain this information:
- Log in to Sophos Central.
- Access Logs & Reports > Recover Tamper Protection passwords.
- Click on View details to expand the password(s) that has been set on the endpoint/server. The password at the top of the list is the most recent.
This password can be used to authenticate on the local endpoint/server, allowing access to the Settings and the option to disable Tamper Protection.
Note: The report will display endpoints/servers that have been deleted over the previous 60 days. For release, the start date for displaying any deleted endpoints/servers is 09th December 2017.
If you do not have access to Sophos Central the following steps can be used.
To recover a tamper protected system, you must disable Enhanced Tamper Protection. Do the following:
- Boot the system into Safe Mode.
- Click Start > Run > type services.msc > right-click Sophos Anti-Virus service > Properties > set the Startup type to Disabled > then click OK.
- Click Start > Run > type regedit and then click OK.
- Go to the following location in the registry editor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agentand set the REG_DWORDStartto0x00000004. - Go to the following location in the registry editor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Configand set the following REG_DWORD valuesSAVEnabledandSEDEnabledto0. - Go to the following location in the registry editor:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtectionand set the REG_DWORDEnabledto0. - Reboot the system in normal mode.
Enhanced Tamper Protection is now disabled and you should now be able to access the system.
Registry keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\TamperProtection
Related information
- Sophos Endpoint Defense: Default configuration settings
- 0x00000082: The installation could not be started
- Sophos Endpoint Defense: Overview
- Sophos Endpoint Defense: FAQs on Enhanced Tamper Protection
- Sophos Endpoint Defense: Supported operating systems
- Sophos Endpoint Defense: How to enable Tamper Protection
- Sophos Endpoint Defense: How to disable Tamper Protection
- Sophos Endpoint Defense: Relevant files, folder, and registry entries
- Enhanced Tamper Protection not supported on systems with Sophos Update Manager
Source: https://community.sophos.com/kb/en-us/124377
The problem with this is it means individually touching each machine.
We recently faced a situation after a reorganisation where we had about 250 endpoints which had been part of a previous estate which was now closed so we could not recover their tamper protection passwords to point them to our new estate using the –registeronly switch.
The Sophos documentation implies that we’d need to go into Safe Mode to fix each of them. This wasn’t possible with the manpower available.
We crafted a solution using an SCCM task sequence.
High level view: create a task sequence to:
Suspend Bitlocker (if you’re using it)
Reboot into Windows PE
Mount the installed OS registry in WinPE
Change the registry keys that would normally be changed in Safe Mode using Sophos’ instructions and disable the MCS service (so it doesn’t immediately TP itself again on restart)
Restart the computer in the regular OS
Run SophosSetup with –quiet –registeronly to get the machine onto the new estate
Re-enable MCS and restart again to get all the Sophos components working.
Step 3-4 are handled by a script:
reg load HKLM\TEMPSYSTEM C:\Windows\System32\config\SYSTEM
reg load HKLM\TEMPSOFTWARE C:\Windows\System32\config\SOFTWARE
reg add “HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos MCS Agent” /v Start /t REG_DWORD /d 0x00000004 /f
reg add “HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Config” /v SAVEnabled /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\TEMPSYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Config” /v SEDEnabled /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\TEMPSOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection” /v Enabled /t REG_DWORD /d 0 /f
reg unload HKLM\TEMPSYSTEM
reg unload HKLM\TEMPSOFTWARE
Step 7 is a command line:
sc config “sophos mcs agent” start= auto
Great job – thanks for the procedure above 😉
Best regards
Martin