Replace Sophos with Windows Defender on Intune managed devices

%3CLINGO-SUB%20id%3D%22lingo-sub-2232237%22%20slang%3D%22en-US%22%3EReplace%20Sophos%20with%20Windows%20Defender%20on%20Intune%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2232237%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20replacing%20Sophos%20Endpoint%20Protection%20with%20Windows%20Defender%2C%20and%20I'd%20like%20to%20ask%20if%20anybody%20has%20experience%20in%20doing%20so%20and%20is%20willing%20to%20share%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ea)%20removing%20Sophos%20from%20Windows%2010%20devices%20using%20Intune%20-%20is%20it%20possible%20and%20what%20should%20I%20take%20care%20of%20to%20prevent%20bricking%20the%20device%20(esp.%20BitLocker)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eb)%20deploying%20Windows%20Defender%20to%20Windows%2010%20devices%20to%20devices%20where%20I%20cannot%20uninstall%20Sophos%20remotely%20-%20is%20it%20possible%20%2F%20recommended%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2232237%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2474217%22%20slang%3D%22en-US%22%3ERe%3A%20Replace%20Sophos%20with%20Windows%20Defender%20on%20Intune%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2474217%22%20slang%3D%22en-US%22%3EI%20wish%20someone%20could%20reply%20with%20a%20solution.%20We%20are%20also%20faced%20with%20the%20same%20predicament.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2475357%22%20slang%3D%22en-US%22%3ERe%3A%20Replace%20Sophos%20with%20Windows%20Defender%20on%20Intune%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2475357%22%20slang%3D%22en-US%22%3EWhat%20are%20you%20currently%20doing%20with%20Sophos%3F%20(A%2FV%3F%20EDR%3F%20Disk%20Enryption%3F)%3CBR%20%2F%3E%3CBR%20%2F%3EAre%20the%20devices%20all%20Intune%20Enrolled%20yet%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2475364%22%20slang%3D%22en-US%22%3ERe%3A%20Replace%20Sophos%20with%20Windows%20Defender%20on%20Intune%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2475364%22%20slang%3D%22en-US%22%3Ewe%20are%20using%20Sophos%20for%20A%2FV%3CBR%20%2F%3EAll%20our%20devices%20are%20Intune%20enrolled%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2475551%22%20slang%3D%22en-US%22%3ERe%3A%20Replace%20Sophos%20with%20Windows%20Defender%20on%20Intune%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2475551%22%20slang%3D%22en-US%22%3EDo%20you%20currently%20have%20a%20script%20to%20uninstall%20it%3F%20You%20will%20need%20a%20silent%20way%20to%20uninstall%20it.%20Once%20you%20have%20that%20you%20can%20leverage%20the%20PowerShell%20script%20method%20in%20Intune.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2475578%22%20slang%3D%22en-US%22%3ERe%3A%20Replace%20Sophos%20with%20Windows%20Defender%20on%20Intune%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2475578%22%20slang%3D%22en-US%22%3EI%20have%20found%20a%20batch%20file%2C%20but%20no%20PowerShell%20script%20to%20silent%20uninstall%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2475622%22%20slang%3D%22en-US%22%3ERe%3A%20Replace%20Sophos%20with%20Windows%20Defender%20on%20Intune%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2475622%22%20slang%3D%22en-US%22%3Eif%20its%20a%20simple%20batch%20file%20you%20could%20always%20convert%20it%20to%20PowerShell.%20Also%2C%20you%20could%20leverage%20a%20Win32%20app%20and%20call%20the%20batch%20file%2C%20you'll%20simply%20need%20something%20like%20a%20reg%20key%20on%20the%20machine%20to%20use%20as%20a%20detection%20method.%20Feel%20free%20to%20post%20the%20batch%20file%20here%20on%20the%20forum.%3C%2FLINGO-BODY%3E
Contributor

We are replacing Sophos Endpoint Protection with Windows Defender, and I'd like to ask if anybody has experience in doing so and is willing to share it.

 

a) removing Sophos from Windows 10 devices using Intune - is it possible and what should I take care of to prevent bricking the device (esp. BitLocker)?

 

b) deploying Windows Defender to Windows 10 devices to devices where I cannot uninstall Sophos remotely - is it possible / recommended?

 

 

10 Replies
I wish someone could reply with a solution. We are also faced with the same predicament.
What are you currently doing with Sophos? (A/V? EDR? Disk Enryption?)

Are the devices all Intune Enrolled yet?
we are using Sophos for A/V
All our devices are Intune enrolled
Do you currently have a script to uninstall it? You will need a silent way to uninstall it. Once you have that you can leverage the PowerShell script method in Intune.
I have found a batch file, but no PowerShell script to silent uninstall
if its a simple batch file you could always convert it to PowerShell. Also, you could leverage a Win32 app and call the batch file, you'll simply need something like a reg key on the machine to use as a detection method. Feel free to post the batch file here on the forum.
here is the bat file

net stop "SAVService"
net stop "Sophos AutoUpdate Service"
"C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallcli.exe"
MsiExec.exe /X{31616A98-3852-49E9-BDD6-77A1AB85571A} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SAV10_Log.txt
Here is a community guide on a possible way to convert a simple batch script to powershell

https://blog.inedo.com/powershell/convert-batch

essentially you rename it to .cmd, then to .ps1. if you run it and it still works as expected the simple conversion has worked.

after you've converted the file call it with the following command line:

powershell.exe -ExecutionPolicy Byass -file .\script.ps1

@Nathan Blasac 

 

UPDATE:

I was able to get it to run as .cnd but renaming it to .ps1 brought a pop up window which indicated that I have to change the commands for PowerShell to run them.

 

Windows ® Installer. V 5.0.21390.1

msiexec /Option <Required Parameter> [Optional Parameter]

Install Options
</package | /i> <Product.msi>
Installs or configures a product
/a <Product.msi>
Administrative install - Installs a product on the network
/j<u|m> <Product.msi> [/t <Transform List>] [/g <Language ID>]
Advertises a product - m to all users, u to current user
</uninstall | /x> <Product.msi | ProductCode>
Uninstalls the product
Display Options
/quiet
Quiet mode, no user interaction
/passive
Unattended mode - progress bar only
/q[n|b|r|f]
Sets user interface level
n - No UI
b - Basic UI
r - Reduced UI
f - Full UI (default)
/help
Help information
Restart Options
/norestart
Do not restart after the installation is complete
/promptrestart
Prompts the user for restart if necessary
/forcerestart
Always restart the computer after installation
Logging Options
/l[i|w|e|a|r|u|c|m|o|p|v|x|+|!|*] <LogFile>
i - Status messages
w - Nonfatal warnings
e - All error messages
a - Start-up of actions
r - Action-specific records
u - User requests
c - Initial UI parameters
m - Out-of-memory or fatal exit information
o - Out-of-disk-space messages
p - Terminal properties
v - Verbose output
x - Extra debugging information
+ - Append to existing log file
! - Flush each line to the log
* - Log all information, except for v and x options
/log <LogFile>
Equivalent of /l* <LogFile>
Update Options
/update <Update1.msp>[;Update2.msp]
Applies update(s)
/uninstall <PatchCodeGuid>[;Update2.msp] /package <Product.msi | ProductCode>
Remove update(s) for a product
Repair Options
/f[p|e|c|m|s|o|d|a|u|v] <Product.msi | ProductCode>
Repairs a product
p - only if file is missing
o - if file is missing or an older version is installed (default)
e - if file is missing or an equal or older version is installed
d - if file is missing or a different version is installed
c - if file is missing or checksum does not match the calculated value
a - forces all files to be reinstalled
u - all required user-specific registry entries (default)
m - all required computer-specific registry entries (default)
s - all existing shortcuts (default)
v - runs from source and recaches local package
Setting Public Properties
[PROPERTY=PropertyValue]

Consult the Windows ® Installer SDK for additional documentation on the
command line syntax.

Copyright © Microsoft Corporation. All rights reserved.
Portions of this software are based in part on the work of the Independent JPEG Group.

@BNderi 

 

from this stack overflow question I was able to create a working .ps1 script


Invoke-Expression "& `"C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallcli.exe`" MsiExec.exe /X{31616A98-3852-49E9-BDD6-77A1AB85571A} /quiet /norestart /L*v %windir%\Temp\Uninstall_SAV10_Log.txt"