Skip to content

Installer command-line options for Windows


There is no command-line option for installation from an update cache. The installer automatically assesses connectivity to any update caches set up in the Sophos Central account and installs from them.

For more information on Sophos Central see Frequently Asked Questions (FAQs).

For information on the installers see the following:

You can use the following command-line options with the Sophos Central installers for Windows.

Command-line options

Some options may not be available for all customers yet.


Runs the installer without displaying the user interface.


No proxy detection

Doesn't attempt to perform automatic proxy detection.


No competitor removal

Doesn't attempt to automatically remove competitors. (Only on installation of Sophos Anti-Virus.)



Allows you to manually set the installer language. By default the installer uses the system language.


Trailing argument

Language ID.


Specifies the Sophos Central device group to join the device to. You can also use this option to add devices to a subgroup.

Backslashes indicate a group hierarchy. You must use quotes for any groups that have spaces in their names.

  • --devicegroup=<Central-group>
  • --devicegroup=<Central-group>\<Central-subgroup>

Trailing argument

Group or subgroup to join. If it doesn't exist, it's created.

CRT catalog path

Allows you to specify your own catalog of competitors to remove.


Trailing argument

Full path to custom catalog file.



Message relays

Specifies a list of message relays to use.


Trailing argument

List of comma-separated message relays. For each message relay, specify the host name or IP address followed by : and port number. By default, the port is 8190.



Sophos Central server locations

Specifies the Sophos Central server locations to connect to.


Trailing argument

Fully qualified server name provided in the CSV file from Sophos Central Partner.

Proxy address

Specifies a custom proxy to use.


Trailing argument

Hostname or IP address followed by : and port number.

Proxy username

Specifies a proxy username if the proxy server requires authentication. For authenticated proxies, only Digest Authentication is supported on Windows endpoints. For unauthenticated proxy servers, don't specify a proxy username.


Trailing argument

The username of the proxy.

Proxy password

If a custom proxy and username have been specified, set the password with this option.


Trailing argument

Password for the proxy.

Computer name override

Overrides the name of the device to be used in Sophos Central.


Trailing argument

Custom computer name.

Domain name override

Overrides the domain name of the device to be used in Sophos Central.


Trailing argument

Custom domain name.

Customer token

Specifies the token of the Sophos Central customer to associate the device with.


Trailing argument

UUID which maps to a customer.

Products to install

Specifies a list of products to install. If you specify a product that you don't have a license for, then it isn't installed.


Trailing argument

List of products to install, comma-separated.

Available options are: antivirus, intercept, mdr, xdr, deviceEncryption, ztna, none, or all.


If you install xdr only we won't install anti-malware protection. You must have third-party protection installed to protect your devices.

Sophos core agents

If you want to install only our core agents for computers or servers use none.

You may want to do this if you want to add protection gradually later to ensure compatibility with third-party applications.

Local install source

Specifies a local install source to use during installation. This allows an installation to occur without having to download the installer files.


It isn't necessary to populate the local install source, but it's necessary to create a SophosLocalInstallSource folder.

If an empty folder is provided it's populated during the first installation.

If you wish to pre-populate the cache you can take a copy of the files from an already installed device. The required files depend on whether you're using SDDS2 or SDDS3 to update.

On a device using SDDS3 updating, you must use the following folders:

  • %ProgramData%\Sophos\AutoUpdate\data\repo
  • %ProgramData%\Sophos\UpdateCache\www\v3

On a device using SDDS2 updating, you must use the following folders:

  • %ProgramData%\Sophos\AutoUpdate\data\Warehouse
  • %ProgramData%\Sophos\UpdateCache\www\warehouse

Even if a populated local install source is provided, internet access is still required and some files are downloaded. The amount of data downloaded depends on various factors including, for example:

  • Whether the platform of the installation device differs from the files already populated.
  • Whether the installer has changes since the local install source was populated.

For the purpose of this example SomeContent represents the files and folders within the repo folder.

  1. Go to %ProgramData%\Sophos\AutoUpdate\data\repo\SomeContent.
  2. Using the path above, create <SharedOrRemovableLocation>\SophosLocalInstallSource\SomeContent.
  3. To install using this local install source run SophosSetup.exe --localinstallsource="<SharedOrRemovableLocation>".

Message trail logging

Turns on the logging of message content between the device and Sophos Central during installation.

You must switch this option off after installing, see Enabling a diagnostic message trail of Sophos MCS.


Register only

You use this command to re-register a device that already has Sophos Protection installed on it.


You can use this option if you're moving devices from one account to another. Examples:

  • You're moving regions in Sophos Central.
  • You're a partner and you have a device that's registered to the wrong customer.
  • You're an Enterprise admin and you want to move devices between sub-estates.

To use this command, turn off tamper protection on the device and run the installer from the account you want to move the device to using --registeronly.

Gold image

You can configure devices to use them as a gold image for Virtual Desktop Infrastructure (VDI). When a clone is created from the gold image we register it with Sophos Central Admin.

You can use this option to install and create a gold image on a new device or configure an existing device to use as a gold image.


You can use it in combination with other options. If you install a gold image with both --goldimage and --devicegroup, we register the gold image device and we register the clones in Sophos Central in the designated device group.

For more information on setting up a gold image see Create gold images and clone new devices.

This process is supported on computers and servers, if you're using the thin installer and up-to-date versions of the core agents. You need the following versions:

  • Thin Installer 1.14 or later
  • Sophos Core Agent 2022.1.0.78 or later
  • Sophos Server Core Agent 2022.1.0.78 or later

Gold image timeout

When you start a virtual machine, we use a change to the device name to determine whether you're starting a new clone. If a name change has occurred the existing Sophos configuration is cleaned, and we register a new device in Sophos Central. We treat this clone as a unique device.

If no change to the device name occurs we assume you're starting the gold image device.

We wait two minutes, by default, after you start the gold image device before communication with Sophos Central happens. This avoids creating duplicate devices, if changing the identity of a new clone is taking longer than expected.

If the change of the identity is taking longer than the default two minutes, use this option to change the default.


Default value is 120. Minimum value is 0. Maximum value is 900.

For more information on setting up a gold image see Create gold images and clone new devices.

Trailing argument

The number of seconds for the timeout.

Windows examples

Install Sophos Anti-Virus and Intercept X without user interaction:

SophosSetup.exe --products=antivirus,intercept --quiet

Install ZTNA only:

SophosSetup.exe --products=ztna

Install using a proxy:

SophosSetup.exe --proxyaddress=<ProxyIP/FQDN>:<Port>

Install using a message relay:

SophosSetup.exe --messagerelays=

Install into a subgroup:

SophosSetup.exe --devicegroup="Application Servers\Terminal Servers"

Puts an installed server into the “Terminal Servers” subgroup of the “Application Servers” group. You must use quotes for any groups that have spaces in their names.

Bypass ACS system check

You can bypass the Azure Code Signing (ACS) system check using the --bypassacscheck installer. Bypassing the ACS system check enables the installation of the software on an endpoint that doesn't have the required patches installed to support ACS.

This is only used when installing endpoint software from a fixed or long-term support warehouse containing old versions of Sophos Endpoint Defense (SED) and AMSI that don't require the ACS patches.

Language IDs

Language ID
English 1033
French 1036
German 1031
Japanese 1041
Spanish 1034
Italian 1040
Polish 1045
Brazilian Portuguese 1046
Korean 1042
Chinese Simplified (Mandarin) 2052
Chinese Traditional (Cantonese) 3076
Chinese Hong Kong 3076
Chinese Macau 3076
Chinese Singapore 2052