had an issue on a remote pc that had sophos installed but device was deleted in sophos central (and more than 90 days). Needed to uninstall sophos but first need to remove tamper protection we use screenconnect (connectwise control) to remote control the pcs. You should be able to use any remote control software that is installed on the pc need to make screenconnect work in safemode HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client create name=default type=reg_sz data=service https://superuser.com/questions/1511251/how-to-make-a-service-start-automatically-in-safe-modewindows-7-10 once that is done Open cmd prompt with administrator rights To Start Windows 10 in Safe Mode with Networking bcdedit /set {current} safeboot network shutdown -r -t 1 to restart after restart it should be safemode with networking and you can do the sophos items listed below to remove tamper protection once done with everything. you need to get back into normal mode Open cmd prompt with administrator rights To Start Windows 10 in Normal Mode bcdedit /deletevalue {current} safeboot shutdown -r -t 1 after rebooting it should be in normal mode then you should be able to uninstall sophos now https://support.sophos.com/support/s/article/KB-000036125?language=en_US Open Command Prompt . Type C: and press Enter . Note : Your Boot drive may differ from C. If so, use a command such as DiskPart and list volume to show the available volumes. Type cd Windows\System32\drivers and press Enter . Type ren SophosED.sys SophosED.sys.old and press Enter . Type exit and press Enter . Click Continue . Once back in Windows, open Registry Editor . Back up the registry. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the Value data of Start to 0x00000004 Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVService and set the Value data of Start to 0x00000004 Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service and set the Value data of Start to 0x00000004 Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services and under every subkey in this location set the Value data of Protected to 0 . Example: Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services\SAVService and set the Value data of Protected to 0 . Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data of SAVEnabled and SEDEnabled to 0 . Set the Value data of Enabled to 0 in the following: 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection Restart the endpoint or server to turn off tamper protection completely.

how to recover a remote site tamper protected system

had an issue on a remote pc that had sophos installed but device was deleted in sophos central (and more than 90 days). Needed to uninstall sophos but first need to remove tamper protection

we use screenconnect (connectwise control) to remote control the pcs. You should be able to use any remote control software that is installed on the pc

need to make screenconnect work in safemode

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client create name=default type=reg_sz data=service

https://superuser.com/questions/1511251/how-to-make-a-service-start-automatically-in-safe-modewindows-7-10

once that is done

Open cmd prompt with administrator rights

To Start Windows 10 in Safe Mode with Networking

bcdedit /set {current} safeboot network

shutdown -r -t 1 to restart

after restart it should be safemode with networking and you can do the sophos items listed below to remove tamper protection

once done with everything. you need to get back into normal mode

Open cmd prompt with administrator rights

To Start Windows 10 in Normal Mode

bcdedit /deletevalue {current} safeboot

shutdown -r -t 1

after rebooting it should be in normal mode then you should be able to uninstall sophos now

https://support.sophos.com/support/s/article/KB-000036125?language=en_US

Open Command Prompt.
Type C: and press Enter.
- Note: Your Boot drive may differ from C. If so, use a command such as DiskPart and list volume to show the available volumes.
Type cd Windows\System32\drivers and press Enter.
Type ren SophosED.sys SophosED.sys.old and press Enter.
Type exit and press Enter.
Click Continue.
Once back in Windows, open Registry Editor.
Back up the registry.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent and set the Value data of Start to 0x00000004
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVService and set the Value data of Start to 0x00000004
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service and set the Value data of Start to 0x00000004
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services and under every subkey in this location set the Value data of Protected to 0.
- Example:
  - Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services\SAVService and set the Value data of Protected to 0.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config and set the Value data of SAVEnabled and SEDEnabled to 0.
Set the Value data of Enabled to 0 in the following:
- 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\TamperProtection
- 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection
Restart the endpoint or server to turn off tamper protection completely.