Removing Sophos using Microsoft Intune

Replacing a third party AV solution like Sophos with Microsoft Defender for Endpoint on Windows endpoints can be a harrowing experience. However, if you know the ins & outs of the process, then it can make things a little easier. I recently dealt with the task of removal of Sophos AV as part of an implementation project for Defender for Endpoint and thought of writing a blog post on it. Hope it helps.

Let's look at some of the key steps first

1. Ensure that the devices are checking into Sophos Central and are healthy.
2. Turn off Tamper Protection on the endpoints.

Just like other third party AV products in the market, Sophos does support removal of their products by running the relevant product uninstallers, however, in my experience this is a hit or miss and therefore, I resorted to using Sophoszap utility which gave me consistent results.

It is important to note that you should use the latest Sophoszap utility, so always check the Sophos official vendor's website for latest release. You can download the Sophoszap utility from here.

The Setup

I created two Win32 payloads to address the requirements. Here is what I did -

Sophos Zap Copy & Initiate

This payload will do the following -

1. Create a folder at C:\Programdata\Intune\Sophos and copy the Sophoszap.exe utility in it.
2. Initiate the Sophoszap.exe utility to initiate the process which will first stop & disable the Sophos services. As a result the device will require a reboot.
3. Prompt the user letting them know that a mandatory reboot will be taking place.

Scripts -


powershell.exe -executionpolicy bypass -command "& '.\Copy.ps1' 1"


$SophosUninstallDir = "C:\Programdata\Intune\Sophos"
if(!(Test-Path $SophosUninstallDir)){
New-Item -Path $SophosUninstallDir -ItemType Directory -Force
#Copy files from working dir into new dir
Copy-Item -Path .\* -Recurse -Destination $SophosUninstallDir -Force
& .\SophosZap.exe --confirm
Shutdown.exe /r /t 300 /c "The device will restart in 5 minutes to configure important updates. Please save your work."
ping -n 299

Note: I have added a delay between the execution of the two payloads to ensure the 2nd payload (Sophos Endpoint Agent Removal) does not kick in  immediately and result in any failures.

Folder Structure -

Used the IntuneWinAppUtil.exe to wrap the Copy.cmd file and imported it in Intune with the following values -

Sophos Endpoint Agent Removal

This payload will do the following -

1. Run the Sophoszap.exe utility from C:\Programdata\Intune\Sophos again and finish the removal process post reboot.

Scripts -


powershell.exe -executionpolicy bypass -command "& '.\uninstall.ps1' 1"


$SophosUninstallDir = "C:\Programdata\Intune\Sophos"
Push-Location $SophosUninstallDir
& .\SophosZap.exe --confirm

Folder Structure -

Just like the first payload, used the IntuneWinAppUtil.exe to wrap the Uninstall.cmd file and imported it in Intune with the following values -

Important: Make a note of the detection logic below. 

First payload is added as a dependency.

The last step is to assign the Sophos Endpoint Agent Removal payload which will then in turn check for the evaluation of the dependency Sophos Zap Copy & Initiate.

End User Experience

From an end user perspective, they will only really see the prompt for a reboot before the device is actually rebooted.

Once the execution is complete, Sophos AV and its dependent services will get removed. 

Final thoughts

The most important step is the one involving devices checking into Sophos Central. If they are checking in regularly and are healthy to be targeted for turning off tamper protection, then everything else should just work. It is highly recommended to onboard the devices on MDE first before Sophos AV is removed to maintain security on the endpoints.


Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

How to Whitelist apps using Applocker in Intune