Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protect-devices-CLI-Windows

Installer command-line options for Windows

Note

There is no command-line option for installation from an update cache. The installer automatically assesses connectivity to any update caches set up in the Sophos Central account and installs from them.

For more information on Sophos Central see Frequently Asked Questions (FAQs).

For information on the installers see the following:

Command-line options

Some options may not be available for all customers yet.

You can use the following command-line options with the Sophos Central installers for Windows.

Quiet

Runs the installer without displaying the user interface.

--quiet

No proxy detection

Doesn't attempt to perform automatic proxy detection.

--noproxydetection

No competitor removal

Doesn't attempt to automatically remove competitors. (Only on installation of Sophos Anti-Virus.)

--nocompetitorremoval

Language

Allows you to manually set the installer language. By default the installer uses the system language.

--language=<ID>

Trailing argument

Replace <ID> with the language ID. See Language IDs.

Group

Specifies the Sophos Central device group to join the device to. You can also use this option to add devices to a subgroup.

Backslashes indicate a group hierarchy. You must use quotes for any groups that have spaces in their names.

--devicegroup=<group>

--devicegroup=<group>\<subgroup>

Trailing argument

Replace <group> and <subgroup> with the name of the Sophos Central group and subgroup to join. If it doesn't exist, it's created.

CRT catalog path

Allows you to specify your own catalog of competitors to remove.

--crtcatalogpath=<path>

Trailing argument

Replace <path> with the full path to the custom catalog file.

Example

--crtcatalogpath=C:\catalog\productcatalog.xml

Message relays

Specifies a list of message relays to use.

--messagerelays=<IPs>

Trailing argument

Replace <IPs> with a comma-separated list of message relays. For each message relay, specify the host name or IP address followed by : and port number. By default, the port is 8190.

Example

--messagerelays=messagerelay.local:8190,10.55.169.85:8190

Sophos Central server locations

Specifies the Sophos Central server locations to connect to.

--epinstallerserver=<URL>

Trailing argument

Replace <URL> with the fully qualified server name provided in the CSV file from Sophos Central Partner.

Proxy address

Specifies a custom proxy to use.

--proxyaddress=myproxy.local:8080

Trailing argument

Hostname or IP address followed by : and port number.

Proxy configuration

Install using a Proxy Auto-Configuration (PAC) file.

--pacurl=<URL>

Trailing argument

Replace <URL> with the URL of a PAC file.

Example

--pacurl=http://example.com/proxy.pac

Proxy username

Specifies a proxy username if the proxy server requires authentication. For authenticated proxies, only Digest Authentication is supported on Windows endpoints. For unauthenticated proxy servers, don't specify a proxy username.

--proxyusername=<user>

Trailing argument

Replace <user> with the username for the proxy.

Proxy password

If a custom proxy and username have been specified, set the password with this option.

--proxypassword=<pw>

Trailing argument

Replace <pw> with the password for the proxy.

Computer name override

Overrides the name of the device to be used in Sophos Central.

--computernameoverride=<name>

Trailing argument

Replace <name> with the custom computer name.

Domain name override

Overrides the domain name of the device to be used in Sophos Central.

--domainnameoverride=<domain>

Trailing argument

Replace <domain> with the custom domain name.

Customer token

Specifies the token of the Sophos Central customer to associate the device with.

--customertoken=<UUID>

Trailing argument

Replace <UUID> with the UUID which maps to a customer.

Products to install

Specifies a list of products to install. If you specify a product that you don't have a license for, then it isn't installed.

--products=<products>

Trailing argument

Replace <products> with the product or products to install. If there's more than one product, put them in a comma-separated list.

Available options are as follows: endpoint, xdr, xdr sensor, deviceEncryption, ztna, all, or none.

  • endpoint installs only anti-malware protection. It doesn't include XDR (Extended Detection and Response) features.

  • xdr includes Sophos XDR features plus all the features in endpoint. If you use xdr, you don't need to use endpoint.

  • xdr sensor includes Sophos XDR features but doesn't install anti-malware protection. You must have third-party protection installed to protect your devices.

  • xdr and xdr sensor also include support for the Sophos MDR (Managed Detection and Response) service if you have an MDR license.

  • all installs all the products you have licenses for and ignores the others.

  • none installs only our core agents for computers or servers. You may want to use this option if you want to add protection gradually later to ensure compatibility with third-party applications.

Note

If you have a Sophos EDR license, use xdr or xdr sensor.

Device tags

Sophos Central lets you create tags and assign them to your devices. Tags help you manage and find your devices quickly.

You can apply tags to devices during installation by using this command-line option:

--tag=<tagname:value>

The tag consists of a name, such as "TimeZone", and a value, such as "UTC". A tag can also consist of a name only, such as "HeadQuarters".

Here's an example command to install a device with tags showing its country, city, and user type (VIP).

SophosSetup.exe --tag=Country:UK "--tag=City:London" --tag=VIP

For more information on device tags, see Manage tags.

Local install source

Specifies a local install source to use during installation. This allows an installation to occur without having to download the installer files.

--localinstallsource=<path>

Replace <path> with the path to the install source.

It isn't necessary to populate the local install source, but it's necessary to create a SophosLocalInstallSource folder.

If an empty folder is provided it's populated during the first installation.

If you wish to pre-populate the cache you can take a copy of the files from an already installed device. You must use the following folders:

  • %ProgramData%\Sophos\AutoUpdate\data\repo
  • %ProgramData%\Sophos\UpdateCache\www\v3

Even if a populated local install source is provided, internet access is still required and some files are downloaded. The amount of data downloaded depends on various factors including, for example:

  • Whether the platform of the installation device differs from the files already populated.
  • Whether the installer has changes since the local install source was populated.
Example

For the purpose of this example SomeContent represents the files and folders within the repo folder.

  1. Go to %ProgramData%\Sophos\AutoUpdate\data\repo\SomeContent.
  2. Using the path above, create <SharedOrRemovableLocation>\SophosLocalInstallSource\SomeContent.
  3. To install using this local install source run SophosSetup.exe --localinstallsource="<SharedOrRemovableLocation>".

Message trail logging

Turns on the logging of message content between the device and Sophos Central during installation.

You must switch this option off after installing, see Enabling a diagnostic message trail of Sophos MCS.

--traillogging

Register only

You use this command to re-register a device that already has Sophos Protection installed on it.

--registeronly

You can use this option if you're moving devices from one account to another. Examples:

  • You're moving regions in Sophos Central.
  • You're a partner and you have a device that's registered to the wrong customer.
  • You're an Enterprise admin and you want to move devices between sub-estates.

To use this command, turn off tamper protection on the device and run the installer from the account you want to move the device to using --registeronly.

Gold image

You can configure devices to use them as a gold image for Virtual Desktop Infrastructure (VDI). When a clone is created from the gold image, we register it with Sophos Central Admin. You can install and create a gold image using timeout mode or notification mode.

To install and create a gold image on a new device or configure an existing device to use as a gold image, use any of the following options:

  • --goldimage: Use this to install using the timeout mode.
  • --goldimage --notificationmode: Use this to install using the notification mode.

For more details, see the following sections:

You can also install a gold image and specify that cloned devices can be removed automatically after use. See Gold image nonpersistent.

You can use the options in combination with other options. If you install a gold image with both --goldimage and --devicegroup, we register the gold image device and the clones in Sophos Central in the designated device group.

For more information on setting up a gold image, see Create gold images and clone new devices.

This process is supported on computers and servers, if you're using the thin installer and up-to-date versions of the core agents. You need the following versions:

  • Thin Installer 1.14 or later
  • Sophos Core Agent 2022.1.0.78 or later
  • Sophos Server Core Agent 2022.1.0.78 or later

Gold image timeout

When you start a virtual machine, we use a change to the device name to determine whether you're starting a new clone. If a name change has occurred the existing Sophos configuration is cleaned, and we register a new device in Sophos Central Admin. We treat this clone as a unique device.

If no change to the device name occurs we assume you're starting the gold image device.

We wait two minutes, by default, after you start the gold image device before communication with Sophos Central happens. This avoids creating duplicate devices, if changing the identity of a new clone is taking longer than expected.

If the change of the identity is taking longer than the default two minutes, use this option to change the default.

--goldimagetimeout=<time-in-seconds>

Trailing argument

Replace <time-in-seconds> with the number of seconds for the timeout.

For more information on setting up a gold image, see Create gold images and clone new devices.

Gold image notification

The notification mode is aimed at improving the gold image process with VMware Horizon Instant-Clone.

With timeout mode, a change to the device name is used to determine whether you're starting a new clone. Whatever the timeout is set to, either by default or by the admin, the gold image process checks the device name once it elapses. If the device name changes, it'll turn the virtual machine where it has elapsed into a cloned virtual machine. This also applies if it's an intermediate device as part of the VMware Horizon Instant-Clone workflow.

When you install using the notification mode, it prevents any communication with Sophos Central until notified by the admin or VDI platform. This means that the machines will only register when the cloning process is complete or the admin activates the gold image. This avoids any deduplication issues that might occur when using the timeout mode.

If you're using the thin installer and up-to-date versions of the core agents, you need the following versions:

  • Thin Installer 1.20.627 or later
  • Sophos Core Agent 2024.2.0.527 or later
  • Sophos Server Core Agent 2024.2.0.534 or later

After you install and create a gold image using the notification mode, it'll register with Sophos Central and allow communication until restart. When restarted, communication will be disabled until you do one of the following actions:

  • Run GoldImageCli.exe activate.
  • From the Sophos Endpoint Agent, click About and then click Activate and Update.

For more information on setting up a gold image, see Create gold images and clone new devices.

Gold image nonpersistent

When you install a gold image, you can specify that the clones can be removed after use. To do this, you use the --nonpersistent option:

--goldimage --nonpersistent

Sophos Central can then automatically remove cloned devices that are inactive, if you've selected Permanently remove VDI desktops in the removal settings. See Remove all inactive devices.

Windows examples

Install Sophos Anti-Virus and Intercept X without user interaction:

SophosSetup.exe --products=antivirus,intercept --quiet

Install ZTNA only:

SophosSetup.exe --products=ztna

Install using a proxy:

SophosSetup.exe --proxyaddress=<IP/FQDN>:<port>

Replace <IP/FQDN> with the proxy's IP address or fully qualified domain name (FQDN) and <port> with the proxy's port number.

Install using a message relay:

SophosSetup.exe --messagerelays=192.168.10.100:8190

Install into a subgroup:

SophosSetup.exe --devicegroup="Application Servers\Terminal Servers"

Puts an installed server into the “Terminal Servers” subgroup of the “Application Servers” group. You must use quotes for any groups that have spaces in their names.

Bypass ACS system check

Note

The --bypassacscheck command-line option is only applicable to Windows 10 (x86) legacy platforms.

You can bypass the Azure Code Signing (ACS) system check using the --bypassacscheck installer. Bypassing the ACS system check enables the installation of the software on an endpoint that doesn't have the required patches installed to support ACS.

Bypass Taegis tenant ID check

You can bypass the Taegis tenant ID check using --bypasstaegisidcheck. Bypassing the Taegis tenant ID check allows you to proceed with the endpoint software installation even when the assigned Taegis tenant ID on Sophos Central doesn't match the Taegis tenant ID present on the endpoint.

Language IDs

Language ID
English 1033
German 1031
French 1036
Japanese 1041
Italian 1040
Spanish 1034
Portuguese (Brazil) 1046
Portuguese (Portugal) 2070
Korean 1042
Chinese (Simplified) 2052
Chinese (Traditional) 3076
Polish 1045
Czech 1029