If you are a Sophos Central administrator you might have (like me) deleted a computer by mistake since it can get really messy really fast when you have to administer several hundred devices. Now you quickly realize that the tamper protection is still in place and that you are unable to uninstall Sophos Endpoint protection (which should have been done automatically in our opinion by deleting the computer anyways) from the computer. So what can you do to get rid of Sophos you may ask? Underneath is a quick and dirty tutorial to disable the tamper protection and uninstall Sophos Endpoint protection. or reinstall a new Version.
- Boot the system into Safe Mode. This means you have to restart your device and as soon as you see the start screen, for example the windows logo, press the key F8.
- Click Start > Run and type regedit and then click OK.
- Go to the following location in the registry editor: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the REG_DWORD Start to 0x00000004
- Go to the following location in the registry editor: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the following REG_DWORD values SAVEnabled and SEDEnabled to 0
- Go to the following location in the registry editor: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection and set the REG_DWORD Enabled to 0
- Reboot the system in normal boot.
Enhanced Tamper Protection is now disabled and you should be able to access the system.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent