Sophos Enterprise Console Backup Process

The following backup process is for backing up all relevant Sophos registry keys and databases for the Sophos Enterprise console to ensure full recovery or migration of all the workstations, policies and groups.

Registry Keys

32bit OS:

— Certificate key —

Start | Run | regedit

HK Local Machine | Software | Sophos | certification manager | CertAuthStore

Please export the CertAuthStore, and save it to a location.

— Database-user key —

Start | Run |reg-edit

HK Local Machine | Software | Sophos | EE | Management Tools | database-user

Please export the ‘database-user’, save it to a location.


64bit OS:

— Certificate key —

Start | Run |reg-edit

HK Local Machine | software | Wow6432node | Sophos | certification manager | CertAuthStore

Please export theCertAuthStore, and save it to a location.

— Database-user key —

HK Local Machine | Software | Sophos | EE | Management Tools | databaseuser

Please export the ‘database-user’, save it to a location.


Sophos Databases

Please stop the Sophos SQL service within the computer services. Please do the following

Start | type ‘run’ and open the run box | type ‘services.msc’ | stop SQL service(SOPHOS)

Once the service has been stopped, please navigate to the following locations:

32/64 bit:

Windows 2008 – C:\program files\microsoft SQL\ Data\Sophos

Windows 2012 – C:\program files\microsoft SQL\ Data\Sophos

Please backup the following databases:


Once all databases have been backed up, please restart the Sophos SQL service again.

Sophos SafeGuard – Decryption Policy

The below is a method that can be used to decrypt SafeGuard encrypted Windows 7, Windows 8 and Windows 10 computers using the SafeGuard Management Center.

By default users are unable to decrypt encrypted drives. Even if the setting is enabled that allows users to decrypt drives, with the Full Disk Encryption policy, users will still not be able to decrypt the drive unless a decryption policy is applied to the computer as well.

In this method we will apply a decryption policy to a specific created group that will allow a drive to be decrypted whilst only applying the policy to the specific computer for which decryption is required.

1. Allow the user to decrypt volume within the Full Disk Encryption policy.

Enable decryption

2. Create a decryption policy.
  • Right click on Policy Items, select New, select Device Protection Policy.
  • Name the policy Decrypt. Under Device Protection Target select Local Storage Devices.
  • Next to Media Encryption Mode select No Encryption.
  • Save
3. Create a decryption group.
  • Click on Users and Computers.
  • Click on the Domain Name, right click and select New and then click on Create New Group.
  • Name the group Decryption. Click OK.
4. Apply the decryption policy to the decryption group.
  • Click on the Domain Name. Click on the Policies tab.
  • Under the Available Policies section on the right hand side of the screen, locate the Decrypt Policy and drag and drop it into the center of the screen. Tick the No Override Box and ensure the Priority is set to 1.
  • Under the Available Groups section on the right hand side of the screen, locate the Decryption Group and drag and drop it into the center of the screen. Click the Save button.

Decryption policy and group

The policy and group have now been created and applied. No computers will be affected by this policy unless they are moved into the decryption group.

5. Move the computer requiring decryption into the decryption group
  • Click on Users and Computers.
  • Locate the Decryption Group and click on it. Click on the Members Tab.
  • On the right hand side of the screen under the Available Objects section, locate the computer requiring decryption and drag and drop it into the center of the screen.
  • Click the Save button.

6. The decryption policy is now applied to the desired computer. The next step is to begin the decryption on the target machine.


Windows 7
  • Open Windows Explorer.
  • Click on Computer. Right click on (C:), select Encryption and then select Decryption.


Windows 8 and 10
  • Open the Control Panel. Select View by: small icons.
  • Click on Bitlocker Drive Encryption.
  • Select Turn off Bitlocker.

The drive will then begin decrypting. It is recommended to use this method if you need to remove SafeGuard Encryption from an encrypted computer.

You should always decrypt the computer before uninstalling the SafeGuard agents.

Here is the link to the full Sophos article should you require further information on this: https://community.sophos.conm/kb/zh-cn/108411

Sophos UTM 9

How to generate a Certificate Signing Request (CSR) on Sophos UTM 9

Please exclude all Brackets from the following commands.

  1. Log into the back end of the UTM.
  2. Log in as root su.
  3. Then switch to the home directory (cd/home/login)
  4. Now create a openvpn.cnf file with the following commands (cat/et/ssl/openssl.cnf | grep -v SUBJECT_ALT_NAME > ./openssl.config)
  5. Then we have to generate the CSR.
  6. openssl req -config  ./openssl.config -new -newkey rsa:2048 -out
  7. You should now get prompted for a passphrase and a Confirmation Passphrase (Enter the passphrase of your choice and press enter)
  8. You should now be prompted for details for the CSR ( Enter the details and hit enter again.
  9. The completed CSR will be saved to /home/login and can be downloaded with WinSCP.

Sophos XG and Sophos Firewall Manager

Here is a quick breakdown on how to get the firewall and the central management to communicate.

On the XG Firewall do the following:

  1. Navigate to the System (the little gear icon).
  2. Select Administration and then Central Management.
  3. Select to Enable Central Management
  4. For the IP Address / Domain enter the central management device IP.
  5. For Communication Details > set the Heartbeat Protocol > Https and Heartbeat Port to 443.
  6. Choose which synchronisation suits you best, to either pull device configuration or use the Firewall Manager to push the configuration.

Then Sophos firewall manager configuration is as follows:

  1. From Home navigate to Device Configuration and select Add Device
  2. Enter all Device Information and click Next
  3. Define Communication Mode and click Next
  4. Choose whether to update device firmware
  5. Configure Backups
  6. Select a template to Auto Configure Device and click Next
  7. The XG Firewall will now be communicating with the Sophos firewall manager.

SafeGuard – Windows 10 and Bitlocker Decryption


BitLocker can’t be turned off/disabled when it is being managed by SafeGaurd. As you turn it off, BitLocker goes into a loop and turns back on straight away. SafeGuard also can’t be uninstalled as long as the drive is encrypted by BitLocker. (See error message below)

Safeguard bitlocker

Although there is an option available to turn off BitLocker. Once you select it, it turns back on straight away, therefore your drive does not decrypt. (See screenshots below)




1. Under the ‘Policy and Groups’ tab, create a new full disk encryption policy set to ‘no encryption’.


2. Create a new policy group called Standalone and assign the decryption policy to that policy group.


3. Create a a Standalone Configuration Package – click on Tools > Configuration Package > Standalone Configuration Package and select the decryption group (Standalone Package) in the Policy Group dropdown menu.

configuration package

4. Click Create Configuration Package button.

Once the package has been created install it on the machine that needs to be decrypted. Once installed, you will now be able to turn off BitLocker.