Installer command-line options for Windows
Note
There is no command-line option for installation from an update cache. The installer automatically assesses connectivity to any update caches set up in the Sophos Central account and installs from them.
For more information on Sophos Central see Frequently Asked Questions (FAQs).
For information on the installers, see the following topics:
- New endpoint installer frequently asked questions
- Installer precheck messages
- An Internet connection could not be established
You can use the following command-line options with the Sophos Central installers for Windows.
Command-line options
Some options may not be available for all customers yet.
Quiet
Runs the installer without displaying the user interface.
--quiet
No proxy detection
Doesn't attempt to perform automatic proxy detection.
--noproxydetection
No competitor removal
Doesn't attempt to automatically remove competitors. (Only on installation of Sophos Anti-Virus.)
--nocompetitorremoval
Language
Allows you to manually set the installer language. By default the installer uses the system language.
--language=<ID>
Trailing argument
Replace <ID> with the language ID. See Language IDs
Group
Specifies the Sophos Central device group to join the device to. You can also use this option to add devices to a subgroup. You must use quotes for any groups that have spaces in their names.
--devicegroup=<group>--devicegroup=<group>\<subgroup>
Trailing argument
Replace <group> and <subgroup> with the name of the Sophos Central group and subgroup to join. If it doesn't exist, it's created.
CRT catalog path
Allows you to specify your own catalog of competitors to remove.
--crtcatalogpath=<path>
Trailing argument
Replace <path> with the full path to the custom catalog file.
Example
--crtcatalogpath=C:\\catalog\\productcatalog.xml
Message relays
Specifies a list of message relays to use.
--messagerelays=<IPs>
Trailing argument
Replace <IPs> with a comma-separated list of message relays. For each message relay, specify the host name or IP address followed by : and port number. By default, the port is 8190.
Example
--messagerelays=IPADDRESS:8190
Registration server
Specifies the MCS server to connect to.
Tip
We recommend you run the installer from a sub-estate to avoid errors during installation.
--epinstallerserver=<URL>
Trailing argument
Replace <URL> with the fully qualified server name provided in the CSV file from Sophos Central Partner.
Proxy address
Specifies a custom proxy to use.
--proxyaddress=<address>
Trailing argument
Replace <address> with the custom proxy address (HTTPS).
Proxy username
If a custom proxy has been specified, set the username with this option.
--proxyusername=<username>
Trailing argument
Replace <username> with the username for the proxy.
Proxy password
If a custom proxy and username have been specified, set the password with this option.
--proxypassword=<password>
Trailing argument
Replace <password> with the password for the proxy.
Computer name override
Overrides the name of the device to be used in Sophos Central.
--computernameoverride=<name>
Trailing argument
Replace <name> with the custom computer name.
Domain name override
Overrides the domain name of the device to be used in Sophos Central.
--domainnameoverride=<domain>
Trailing argument
Replace <domain> with the custom domain name.
Customer token
Specifies the token of the Sophos Central customer to associate the device with.
--customertoken=<UUID>
Trailing argument
Replace <UUID> with the UUID that maps to a customer.
Products to install
Specifies a list of products to install. If you specify a product that you don't have a license for, then it isn't installed.
--products=<products>
Trailing argument
Replace <products> with a comma-separated list of products to install.
Available options are: antivirus, intercept, mdr, xdr, deviceEncryption, ztna, none, or all.
xdr
If you install xdr only we won't install anti-malware protection. You must have third-party protection installed to protect your devices.
Sophos core agents
If you want to install only our core agents for computers or servers use none.
You may want to do this if you want to add protection gradually later to ensure compatibility with third-party applications.
Local install source
Specifies a local install source to use during installation. This allows an installation to occur without having to download the installer files.
--localinstallsource=<path>
Replace <path> with the path to the install source.
It isn't necessary to populate the local install source, but it is necessary to create a SophosLocalInstallSource folder.
If an empty folder is provided it is populated during the first installation.
If you wish to pre-populate the cache you can take a copy of the files from an already installed device. The required files depend on whether you're using SDDS2 or SDDS3 to update.
On a device using SDDS3 updating, you must use the following folders:
%ProgramData%\Sophos\AutoUpdate\data\repo%ProgramData%\Sophos\UpdateCache\www\v3
On a device using SDDS2 updating, you must use the following folders:
%ProgramData%\Sophos\AutoUpdate\data\Warehouse%ProgramData%\Sophos\UpdateCache\www\warehouse
Even if a populated local install source is provided, internet access is still required and some files are downloaded. The amount of data downloaded depends on various factors including, for example:
- Whether the platform of the installation device differs from the files already populated.
- Whether the installer has changes since the local install source was populated.
Example
For the purpose of this example SomeContent represents the files and folders within the repo folder.
- Go to
%ProgramData%\Sophos\AutoUpdate\data\repo\SomeContent. - Using the path above, create
<SharedOrRemovableLocation>\SophosLocalInstallSource\SomeContent. - To install using this local install source run
SophosSetup.exe --localinstallsource="<SharedOrRemovableLocation\>".
Message trail logging
Turns on the logging of message content between the device and Sophos Central during installation.
You must switch this option off after installing, see Enabling a diagnostic message trail of Sophos MCS.
--traillogging
Register only
You use this command to re-register a device that already has Sophos Protection installed on it.
--registeronly
You may want to do this if you're moving regions in Sophos Central. You can use this option if you're moving devices from one account to another. You can also use this option if you're a partner and you have an device that's registered to the wrong customer. Alternatively, you can use it if you're an Enterprise admin and you want to move devices between sub-estates.
To use this command, turn off tamper protection on the device and run the installer from the account you want to move the device to using --registeronly.
Gold image
You can configure devices to use them as a gold image for Virtual Desktop Infrastructure (VDI). When a clone is created from the gold image we register it with Sophos Central Admin.
You can use this option to install and create a gold image on a new device or configure an existing device to use as a gold image.
--goldimage
You can use it in combination with other options. If you install a gold image with both --goldimage and --devicegroup, we register the gold image device and we register the clones in Sophos Central in the designated device group.
For more information on setting up a gold image see Create gold images and clone new devices.
This process is supported on computers and servers, if you're using the thin installer and up-to-date versions of the core agents. You need the following versions:
- Thin Installer 1.14 or later
- Sophos Core Agent 2022.1.0.78 or later
- Sophos Server Core Agent 2022.1.0.78 or later
Gold image timeout
When you start a virtual machine, we use a change to the device name to determine whether you're starting a new clone. If a name change has occurred the existing Sophos configuration is cleaned, and we register a new device in Sophos Central Admin. We treat this clone as a unique device.
If no change to the device name occurs we assume you're starting the gold image device.
We wait two minutes, by default, after you start the gold image device before communication with Sophos Central happens. This avoids creating duplicate devices, if changing the identity of a new clone is taking longer than expected.
If the change of the identity is taking longer than the default two minutes, use this option to change the default.
--goldimagetimeout=<time in seconds>
Trailing argument
Replace <time in seconds> with the number of seconds for the timeout.
Default value is 120. Minimum value is 0. Maximum value is 900.
For more information on setting up a gold image see Create gold images and clone new devices.
Windows examples
Install Sophos Anti-Virus and Intercept X without user interaction:
SophosSetup.exe --products=antivirus,intercept --quiet
Install ZTNA only:
SophosSetup.exe --products=ztna
Install using a proxy:
SophosSetup.exe --proxyaddress=<ProxyIP/FQDN>:<Port>
Replace <ProxyIP/FQDN> with the proxy's IP address or fully qualified domain name (FQDN) and <Port> with the proxy's port number.
Install using a message relay:
SophosSetup.exe --messagerelays=192.168.10.100:8190
Install into a subgroup:
SophosSetup.exe --devicegroup=”Application Servers\Terminal Servers”
Puts an installed server into the “Terminal Servers” subgroup of the “Application Servers” group. You must use quotes for any groups that have spaces in their names.
Language IDs
| Language | ID |
|---|---|
| English | 1033 |
| French | 1036 |
| German | 1031 |
| Japanese | 1041 |
| Spanish | 1034 |
| Italian | 1040 |
| Polish | 1045 |
| Brazilian Portuguese | 1046 |
| Korean | 1042 |
| Chinese Simplified (Mandarin) | 2052 |
| Chinese Traditional (Cantonese) | 3076 |
| Chinese Hong Kong | 3076 |
| Chinese Macau | 3076 |
| Chinese Singapore | 2052 |