Removing Sophos using Microsoft Intune

-

Replacing a third party AV solution like Sophos with Microsoft Defender for Endpoint on Windows endpoints can be a harrowing experience. However, if you know the ins & outs of the process, then it can make things a little easier. I recently dealt with the task of removal of Sophos AV as part of an implementation project for Defender for Endpoint and thought of writing a blog post on it. Hope it helps.

Let's look at some of the key steps first

1. Ensure that the devices are checking into Sophos Central and are healthy.
2. Turn off Tamper Protection on the endpoints.

Just like other third party AV products in the market, Sophos does support removal of their products by running the relevant product uninstallers, however, in my experience this is a hit or miss and therefore, I resorted to using Sophoszap utility which gave me consistent results.

It is important to note that you should use the latest Sophoszap utility, so always check the Sophos official vendor's website for latest release. You can download the Sophoszap utility from here.

The Setup

I created two Win32 payloads to address the requirements. Here is what I did -

Sophos Zap Copy & Initiate

This payload will do the following -

1. Create a folder at C:\Programdata\Intune\Sophos and copy the Sophoszap.exe utility in it.
2. Initiate the Sophoszap.exe utility to initiate the process which will first stop & disable the Sophos services. As a result the device will require a reboot.
3. Prompt the user letting them know that a mandatory reboot will be taking place.

Scripts -

Copy.cmd

powershell.exe -executionpolicy bypass -command "& '.\Copy.ps1' 1"

Copy.ps1

$SophosUninstallDir = "C:\Programdata\Intune\Sophos"
if(!(Test-Path $SophosUninstallDir)){
New-Item -Path $SophosUninstallDir -ItemType Directory -Force
}
#Copy files from working dir into new dir
Copy-Item -Path .\* -Recurse -Destination $SophosUninstallDir -Force
& .\SophosZap.exe --confirm
Shutdown.exe /r /t 300 /c "The device will restart in 5 minutes to configure important updates. Please save your work."
ping 127.0.0.1 -n 299

Note: I have added a delay between the execution of the two payloads to ensure the 2nd payload (Sophos Endpoint Agent Removal) does not kick in  immediately and result in any failures.

Folder Structure -


Used the IntuneWinAppUtil.exe to wrap the Copy.cmd file and imported it in Intune with the following values -




Sophos Endpoint Agent Removal

This payload will do the following -

1. Run the Sophoszap.exe utility from C:\Programdata\Intune\Sophos again and finish the removal process post reboot.

Scripts -

Uninstall.cmd

powershell.exe -executionpolicy bypass -command "& '.\uninstall.ps1' 1"

Uninstall.ps1

$SophosUninstallDir = "C:\Programdata\Intune\Sophos"
Push-Location $SophosUninstallDir
& .\SophosZap.exe --confirm

Folder Structure -


Just like the first payload, used the IntuneWinAppUtil.exe to wrap the Uninstall.cmd file and imported it in Intune with the following values -





Important: Make a note of the detection logic below. 


First payload is added as a dependency.


The last step is to assign the Sophos Endpoint Agent Removal payload which will then in turn check for the evaluation of the dependency Sophos Zap Copy & Initiate.

End User Experience

From an end user perspective, they will only really see the prompt for a reboot before the device is actually rebooted.


Once the execution is complete, Sophos AV and its dependent services will get removed. 

Final thoughts

The most important step is the one involving devices checking into Sophos Central. If they are checking in regularly and are healthy to be targeted for turning off tamper protection, then everything else should just work. It is highly recommended to onboard the devices on MDE first before Sophos AV is removed to maintain security on the endpoints.

Comments

  1. AnonymousApril 22, 2024 at 8:30 PM

    I have followed the steps here. But the Sophos Endpoint Agent Removal app shows as failed for all new devices I add to it. It has passed for about half of my devices added to it so far but all new devices fail. The error I see in Intune says: "The application was not detected after installation completed successfully (0x87D1041C)"

    Some devices that were showing that error have installed successfully over the past few days but others still fail. What is causing my failures?

    ReplyDelete
    Replies
    1. Rahul JindalApril 23, 2024 at 11:55 AM

      Can you check for the presence of the registry key? Is it possible that the new devices are coming installed with a different version of the product?

      Delete
  2. AnonymousApril 23, 2024 at 4:17 PM

    Thanks for the reply. All devices are imaged from a single image before we ship them out, so the Sophos version is the same.

    The strange part is that a device will show as failed initially and then over time it may change to successful. But it may take days for the device to successfully uninstall Sophos.

    Yes, on a device that shows as failed, I can see the Sophos Endpoint Agent registry key in the registry.

    ReplyDelete
  3. Rahul JindalApril 29, 2024 at 9:59 AM

    Then this could be a case of a race condition. The compliance against the detection is dependent on the script execution on the device. If the uninstallation has not taken place in a timely manner then conditions against the detection may not satisfy immediately. You can try setting this up differently like instead of using a Win32 app, you push a PS script.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more