Removing Sophos using Microsoft Intune


Replacing a third party AV solution like Sophos with Microsoft Defender for Endpoint on Windows endpoints can be a harrowing experience. However, if you know the ins & outs of the process, then it can make things a little easier. I recently dealt with the task of removal of Sophos AV as part of an implementation project for Defender for Endpoint and thought of writing a blog post on it. Hope it helps.

Let's look at some of the key steps first

1. Ensure that the devices are checking into Sophos Central and are healthy.
2. Turn off Tamper Protection on the endpoints.

Just like other third party AV products in the market, Sophos does support removal of their products by running the relevant product uninstallers, however, in my experience this is a hit or miss and therefore, I resorted to using Sophoszap utility which gave me consistent results.

It is important to note that you should use the latest Sophoszap utility, so always check the Sophos official vendor's website for latest release. You can download the Sophoszap utility from here.

The Setup

I created two Win32 payloads to address the requirements. Here is what I did -

Sophos Zap Copy & Initiate

This payload will do the following -

1. Create a folder at C:\Programdata\Intune\Sophos and copy the Sophoszap.exe utility in it.
2. Initiate the Sophoszap.exe utility to initiate the process which will first stop & disable the Sophos services. As a result the device will require a reboot.
3. Prompt the user letting them know that a mandatory reboot will be taking place.

Scripts -

Copy.cmd

powershell.exe -executionpolicy bypass -command "& '.\Copy.ps1' 1"

Copy.ps1

$SophosUninstallDir = "C:\Programdata\Intune\Sophos"
if(!(Test-Path $SophosUninstallDir)){
New-Item -Path $SophosUninstallDir -ItemType Directory -Force
}
#Copy files from working dir into new dir
Copy-Item -Path .\* -Recurse -Destination $SophosUninstallDir -Force
& .\SophosZap.exe --confirm
Shutdown.exe /r /t 300 /c "The device will restart in 5 minutes to configure important updates. Please save your work."
ping 127.0.0.1 -n 299

Note: I have added a delay between the execution of the two payloads to ensure the 2nd payload (Sophos Endpoint Agent Removal) does not kick in  immediately and result in any failures.

Folder Structure -


Used the IntuneWinAppUtil.exe to wrap the Copy.cmd file and imported it in Intune with the following values -




Sophos Endpoint Agent Removal

This payload will do the following -

1. Run the Sophoszap.exe utility from C:\Programdata\Intune\Sophos again and finish the removal process post reboot.

Scripts -

Uninstall.cmd

powershell.exe -executionpolicy bypass -command "& '.\uninstall.ps1' 1"

Uninstall.ps1

$SophosUninstallDir = "C:\Programdata\Intune\Sophos"
Push-Location $SophosUninstallDir
& .\SophosZap.exe --confirm

Folder Structure -


Just like the first payload, used the IntuneWinAppUtil.exe to wrap the Uninstall.cmd file and imported it in Intune with the following values -





Important: Make a note of the detection logic below. 


First payload is added as a dependency.


The last step is to assign the Sophos Endpoint Agent Removal payload which will then in turn check for the evaluation of the dependency Sophos Zap Copy & Initiate.

End User Experience

From an end user perspective, they will only really see the prompt for a reboot before the device is actually rebooted.


Once the execution is complete, Sophos AV and its dependent services will get removed. 

Final thoughts

The most important step is the one involving devices checking into Sophos Central. If they are checking in regularly and are healthy to be targeted for turning off tamper protection, then everything else should just work. It is highly recommended to onboard the devices on MDE first before Sophos AV is removed to maintain security on the endpoints.

Comments

  1. I have followed the steps here. But the Sophos Endpoint Agent Removal app shows as failed for all new devices I add to it. It has passed for about half of my devices added to it so far but all new devices fail. The error I see in Intune says: "The application was not detected after installation completed successfully (0x87D1041C)"

    Some devices that were showing that error have installed successfully over the past few days but others still fail. What is causing my failures?

    ReplyDelete
    Replies
    1. Can you check for the presence of the registry key? Is it possible that the new devices are coming installed with a different version of the product?

      Delete
  2. Thanks for the reply. All devices are imaged from a single image before we ship them out, so the Sophos version is the same.

    The strange part is that a device will show as failed initially and then over time it may change to successful. But it may take days for the device to successfully uninstall Sophos.

    Yes, on a device that shows as failed, I can see the Sophos Endpoint Agent registry key in the registry.

    ReplyDelete
  3. Then this could be a case of a race condition. The compliance against the detection is dependent on the script execution on the device. If the uninstallation has not taken place in a timely manner then conditions against the detection may not satisfy immediately. You can try setting this up differently like instead of using a Win32 app, you push a PS script.

    ReplyDelete
  4. After scouring the internet for a solution and trying and failing many other solutions, yours is the only one to work! Thank you so much for this writeup.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Prevent users from running certain programs or applications on Windows endpoints using Intune