Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protect-devices-CLI-Windows

Installer command-line options for Windows

Note

There is no command-line option for installation from an update cache. The installer automatically assesses connectivity to any update caches set up in the Sophos Central account and installs from them.

For more information on Sophos Central see Frequently Asked Questions (FAQs).

For information on the installers see the following:

Command-line options

Some options may not be available for all customers yet.

You can use the following command-line options with the Sophos Central installers for Windows.

Quiet

Runs the installer without displaying the user interface.

--quiet

No proxy detection

Doesn't attempt to perform automatic proxy detection.

--noproxydetection

No competitor removal

Doesn't attempt to automatically remove competitors. (Only on installation of Sophos Anti-Virus.)

--nocompetitorremoval

Language

Allows you to manually set the installer language. By default the installer uses the system language.

--language=<ID>

Trailing argument

Replace <ID> with the language ID. See Language IDs.

Group

Specifies the Sophos Central device group to join the device to. You can also use this option to add devices to a subgroup.

Backslashes indicate a group hierarchy. You must use quotes for any groups that have spaces in their names.

--devicegroup=<group>

--devicegroup=<group>\<subgroup>

Trailing argument

Replace <group> and <subgroup> with the name of the Sophos Central group and subgroup to join. If it doesn't exist, it's created.

CRT catalog path

Allows you to specify your own catalog of competitors to remove.

--crtcatalogpath=<path>

Trailing argument

Replace <path> with the full path to the custom catalog file.

Example

--crtcatalogpath=C:\catalog\productcatalog.xml

Message relays

Specifies a list of message relays to use.

--messagerelays=<IPs>

Trailing argument

Replace <IPs> with a comma-separated list of message relays. For each message relay, specify the host name or IP address followed by : and port number. By default, the port is 8190.

Example

--messagerelays=messagerelay.local:8190,10.55.169.85:8190

Sophos Central server locations

Specifies the Sophos Central server locations to connect to.

--epinstallerserver=<URL>

Trailing argument

Replace <URL> with the fully qualified server name provided in the CSV file from Sophos Central Partner.

Proxy address

Specifies a custom proxy to use.

--proxyaddress=myproxy.local:8080

Trailing argument

Hostname or IP address followed by : and port number.

Proxy username

Specifies a proxy username if the proxy server requires authentication. For authenticated proxies, only Digest Authentication is supported on Windows endpoints. For unauthenticated proxy servers, don't specify a proxy username.

--proxyusername=<user>

Trailing argument

Replace <user> with the username for the proxy.

Proxy password

If a custom proxy and username have been specified, set the password with this option.

--proxypassword=<pw>

Trailing argument

Replace <pw> with the password for the proxy.

Computer name override

Overrides the name of the device to be used in Sophos Central.

--computernameoverride=<name>

Trailing argument

Replace <name> with the custom computer name.

Domain name override

Overrides the domain name of the device to be used in Sophos Central.

--domainnameoverride=<domain>

Trailing argument

Replace <domain> with the custom domain name.

Customer token

Specifies the token of the Sophos Central customer to associate the device with.

--customertoken=<UUID>

Trailing argument

Replace <UUID> with the UUID which maps to a customer.

Products to install

Specifies a list of products to install. If you specify a product that you don't have a license for, then it isn't installed.

--products=<products>

Trailing argument

Replace <products with a comma-separated list of products to install.

Available options are: antivirus, intercept, mdr, xdr, deviceEncryption, ztna, none, or all.

xdr

If you install xdr only we won't install anti-malware protection. You must have third-party protection installed to protect your devices.

Sophos core agents

If you want to install only our core agents for computers or servers use none.

You may want to do this if you want to add protection gradually later to ensure compatibility with third-party applications.

Local install source

Specifies a local install source to use during installation. This allows an installation to occur without having to download the installer files.

--localinstallsource=<path>

Replace <path> with the path to the install source.

It isn't necessary to populate the local install source, but it's necessary to create a SophosLocalInstallSource folder.

If an empty folder is provided it's populated during the first installation.

If you wish to pre-populate the cache you can take a copy of the files from an already installed device. You must use the following folders:

  • %ProgramData%\Sophos\AutoUpdate\data\repo
  • %ProgramData%\Sophos\UpdateCache\www\v3

Even if a populated local install source is provided, internet access is still required and some files are downloaded. The amount of data downloaded depends on various factors including, for example:

  • Whether the platform of the installation device differs from the files already populated.
  • Whether the installer has changes since the local install source was populated.
Example

For the purpose of this example SomeContent represents the files and folders within the repo folder.

  1. Go to %ProgramData%\Sophos\AutoUpdate\data\repo\SomeContent.
  2. Using the path above, create <SharedOrRemovableLocation>\SophosLocalInstallSource\SomeContent.
  3. To install using this local install source run SophosSetup.exe --localinstallsource="<SharedOrRemovableLocation>".

Message trail logging

Turns on the logging of message content between the device and Sophos Central during installation.

You must switch this option off after installing, see Enabling a diagnostic message trail of Sophos MCS.

--traillogging

Register only

You use this command to re-register a device that already has Sophos Protection installed on it.

--registeronly

You can use this option if you're moving devices from one account to another. Examples:

  • You're moving regions in Sophos Central.
  • You're a partner and you have a device that's registered to the wrong customer.
  • You're an Enterprise admin and you want to move devices between sub-estates.

To use this command, turn off tamper protection on the device and run the installer from the account you want to move the device to using --registeronly.

Gold image

You can configure devices to use them as a gold image for Virtual Desktop Infrastructure (VDI). When a clone is created from the gold image, we register it with Sophos Central Admin. You can install and create a gold image using timeout mode or notification mode.

To install and create a gold image on a new device or configure an existing device to use as a gold image, use any of the following options:

  • --goldimage: Use this to install using the timeout mode.
  • --goldimage --notificationmode: Use this to install using the notification mode.

For more details, see the following sections:

You can use the options in combination with other options. If you install a gold image with both --goldimage and --devicegroup, we register the gold image device and the clones in Sophos Central in the designated device group.

For more information on setting up a gold image, see Create gold images and clone new devices.

This process is supported on computers and servers, if you're using the thin installer and up-to-date versions of the core agents. You need the following versions:

  • Thin Installer 1.14 or later
  • Sophos Core Agent 2022.1.0.78 or later
  • Sophos Server Core Agent 2022.1.0.78 or later

Gold image timeout

When you start a virtual machine, we use a change to the device name to determine whether you're starting a new clone. If a name change has occurred the existing Sophos configuration is cleaned, and we register a new device in Sophos Central Admin. We treat this clone as a unique device.

If no change to the device name occurs we assume you're starting the gold image device.

We wait two minutes, by default, after you start the gold image device before communication with Sophos Central happens. This avoids creating duplicate devices, if changing the identity of a new clone is taking longer than expected.

If the change of the identity is taking longer than the default two minutes, use this option to change the default.

--goldimagetimeout=<time-in-seconds>

Default value is 120. Minimum value is 0. Maximum value is 900.

For more information on setting up a gold image, see Create gold images and clone new devices.

Trailing argument

The number of seconds for the timeout.

Gold image notification

The notification mode is aimed at improving the gold image process with VMware Horizon Instant-Clone.

With timeout mode, a change to the device name is used to determine whether you're starting a new clone. Whatever the timeout is set to, either by default or by the admin, the gold image process checks the device name once it elapses. If the device name changes, it'll turn the virtual machine where it has elapsed into a cloned virtual machine. This also applies if it's an intermediate device as part of the VMware Horizon Instant-Clone workflow.

When you install using the notification mode, it prevents any communication with Sophos Central until notified by the admin or VDI platform. This means that the machines will only register when the cloning process is complete or the admin activates the gold image. This avoids any deduplication issues that might occur when using the timeout mode.

If you're using the thin installer and up-to-date versions of the core agents, you need the following versions:

  • Thin Installer 1.20.627 or later
  • Sophos Core Agent 2024.2.0.527 or later
  • Sophos Server Core Agent 2024.2.0.534 or later

After you install and create a gold image using the notification mode, it'll register with Sophos Central and allow communication until restart. When restarted, communication will be disabled until you do one of the following actions:

  • Run GoldImageCli.exe activate.
  • From the Sophos Endpoint Agent, click About and then click Activate and Update.

For more information on setting up a gold image, see Create gold images and clone new devices.

Windows examples

Install Sophos Anti-Virus and Intercept X without user interaction:

SophosSetup.exe --products=antivirus,intercept --quiet

Install ZTNA only:

SophosSetup.exe --products=ztna

Install using a proxy:

SophosSetup.exe --proxyaddress=<IP/FQDN>:<port>

Replace <IP/FQDN> with the proxy's IP address or fully qualified domain name (FQDN) and <port> with the proxy's port number.

Install using a message relay:

SophosSetup.exe --messagerelays=192.168.10.100:8190

Install into a subgroup:

SophosSetup.exe --devicegroup="Application Servers\Terminal Servers"

Puts an installed server into the “Terminal Servers” subgroup of the “Application Servers” group. You must use quotes for any groups that have spaces in their names.

Bypass ACS system check

You can bypass the Azure Code Signing (ACS) system check using the --bypassacscheck installer. Bypassing the ACS system check enables the installation of the software on an endpoint that doesn't have the required patches installed to support ACS.

This is only used when installing endpoint software from a fixed or long-term support warehouse containing old versions of Sophos Endpoint Defense (SED) and AMSI that don't require the ACS patches.

Language IDs

Language ID
English 1033
French 1036
German 1031
Japanese 1041
Spanish 1034
Italian 1040
Polish 1045
Brazilian Portuguese 1046
Korean 1042
Chinese Simplified (Mandarin) 2052
Chinese Traditional (Cantonese) 3076
Chinese Hong Kong 3076
Chinese Macau 3076
Chinese Singapore 2052