Skip to content

Installer command-line options for Windows

Note

There is no command-line option for installation from an update cache. The installer automatically assesses connectivity to any update caches set up in the Sophos Central account and installs from them.

For more information on Sophos Central see Frequently Asked Questions (FAQs).

For information on the installers see the following:

You can use the following command-line options with the Sophos Central installers for Windows.

Command-line options

Some options may not be available for all customers yet.

Quiet

Runs the installer without displaying the user interface.

--quiet

No proxy detection

Doesn't attempt to perform automatic proxy detection.

--noproxydetection

No competitor removal

Doesn't attempt to automatically remove competitors. (Only on installation of Sophos Anti-Virus.)

--nocompetitorremoval

Language

Allows you to manually set the installer language. By default the installer uses the system language.

--language=<language ID\>

Trailing argument

Language ID.

Group

Specifies the Sophos Central device group to join the device to. You can also use this option to add devices to a subgroup. You must use quotes for any groups that have spaces in their names.

  • --devicegroup=<Central group\>
  • --devicegroup=<Central group\>\\<Central subgroup\>

Trailing argument

Group or subgroup to join. If it doesn't exist, it is created.

CRT catalog path

Allows you to specify your own catalog of competitors to remove.

--crtcatalogpath=<path to CRT catalog\>

Trailing argument

Full path and filename to catalog folder.

Example

--crtcatalogpath=C:\\catalog\\productcatalog.xml

Message relays

Specifies a list of message relays to use.

--messagerelays=<comma-separated message relay list of IPs including the port\>

Trailing argument

IP address of the message relay must be specified along with port 8190.

Example

--messagerelays=IPADDRESS:8190

Registration server

Specifies the MCS server to connect to.

--epinstallerserver=<registration server URL\>

Trailing argument

MCS server URL.

Proxy address

Specifies a custom proxy to use.

--proxyaddress=<custom proxy address\>

Trailing argument

URL without protocol (will use HTTPS)

Proxy username

If a custom proxy has been specified, set the username with this option.

--proxyusername=<custom proxy user name\>

Trailing argument

The username of the proxy.

Proxy password

If a custom proxy and username have been specified, set the password with this option.

--proxypassword=<custom proxy password\>

Trailing argument

Password for the proxy.

Computer name override

Overrides the name of the device to be used in Sophos Central.

--computernameoverride=<override for computer name\>

Trailing argument

Custom computer name.

Domain name override

Overrides the domain name of the device to be used in Sophos Central.

--domainnameoverride=<override for domain\>

Trailing argument

Custom domain name.

Customer token

Specifies the token of the Sophos Central customer to associate the device with.

--customertoken=<the customer token\>

Trailing argument

UUID which maps to a customer.

Products to install

Specifies a list of products to install. If you specify a product that you don't have a license for, then it isn't installed.

--products=<comma-separated list of products\>

Trailing argument

List of products to install, comma-separated.

Available options are: antivirus, intercept, mdr, xdr, deviceEncryption, ztna, none, or all.

xdr

If you install xdr only we won't install anti-malware protection. You must have third-party protection installed to protect your devices.

Sophos core agents

If you want to install only our core agents for computers or servers use none.

You may want to do this if you want to add protection gradually later to ensure compatibility with third-party applications.

Local install source

Specifies a local install source to use during installation. This allows an installation to occur without having to download the installer files.

--localinstallsource=<path-to-install-source\>

It isn't necessary to populate the local install source, but it is necessary to create a SophosLocalInstallSource folder.

If an empty folder is provided it is populated during the first installation.

If you wish to pre-populate the cache you can take a copy of the files from an already installed device. The required files depend on whether you're using SDDS2 or SDDS3 to update.

On a device using SDDS3 updating, you must use the following folders:

  • %ProgramData%\Sophos\AutoUpdate\data\repo
  • %ProgramData%\Sophos\UpdateCache\www\v3

On a device using SDDS2 updating, you must use the following folders:

  • %ProgramData%\Sophos\AutoUpdate\data\Warehouse
  • %ProgramData%\Sophos\UpdateCache\www\warehouse

Even if a populated local install source is provided, internet access is still required and some files are downloaded. The amount of data downloaded depends on various factors including, for example:

  • Whether the platform of the installation device differs from the files already populated.
  • Whether the installer has changes since the local install source was populated.
Example

For the purpose of this example SomeContent represents the files and folders within the repo folder.

  1. Go to %ProgramData%\Sophos\AutoUpdate\data\repo\SomeContent.
  2. Using the path above, create <SharedOrRemovableLocation>\SophosLocalInstallSource\SomeContent.
  3. To install using this local install source run SophosSetup.exe --localinstallsource="<SharedOrRemovableLocation\>".

Message trail logging

Turns on the logging of message content between the device and Sophos Central during installation.

You must switch this option off after installing, see Enabling a diagnostic message trail of Sophos MCS.

--traillogging

Register only

You use this command to re-register a device that already has Sophos Protection installed on it.

--registeronly

You may want to do this if you're moving regions in Sophos Central. You can use this option if you're moving devices from one account to another. You can also use this option if you're a partner and you have a device that's registered to the wrong customer. Alternatively, you can use it if you're an Enterprise admin and you want to move devices between sub-estates.

To use this command, turn off tamper protection on the device and run the installer from the account you want to move the device to using --registeronly.

Gold image

You can configure devices to use them as a gold image for Virtual Desktop Infrastructure (VDI). When a clone is created from the gold image we register it with Sophos Central Admin.

You can use this option to install and create a gold image on a new device or configure an existing device to use as a gold image.

--goldimage

You can use it in combination with other options. If you install a gold image with both --goldimage and --devicegroup, we register the gold image device and we register the clones in Sophos Central in the designated device group.

For more information on setting up a gold image see Create gold images and clone new devices.

This process is supported on computers and servers, if you're using the thin installer and up-to-date versions of the core agents. You need the following versions:

  • Thin Installer 1.14 or later
  • Sophos Core Agent 2022.1.0.78 or later
  • Sophos Server Core Agent 2022.1.0.78 or later

Gold image timeout

When you start a virtual machine, we use a change to the device name to determine whether you're starting a new clone. If a name change has occurred the existing Sophos configuration is cleaned, and we register a new device in Sophos Central. We treat this clone as a unique device.

If no change to the device name occurs we assume you're starting the gold image device.

We wait two minutes, by default, after you start the gold image device before communication with Sophos Central happens. This avoids creating duplicate devices, if changing the identity of a new clone is taking longer than expected.

If the change of the identity is taking longer than the default two minutes, use this option to change the default.

--goldimagetimeout=<time in seconds>

Default value is 120. Minimum value is 0. Maximum value is 900.

For more information on setting up a gold image see Create gold images and clone new devices.

Trailing argument

The number of seconds for the timeout.

Windows examples

Install Sophos Anti-Virus and Intercept X without user interaction:

SophosSetup.exe --products=antivirus,intercept --quiet

Install ZTNA only:

SophosSetup.exe --products=ztna

Install using a proxy:

SophosSetup.exe --proxyaddress=<ProxyIP/FQDN>:<Port>

Install using a message relay:

SophosSetup.exe --messagerelays=192.168.10.100:8190

Install into a subgroup:

SophosSetup.exe --devicegroup=”Application Servers\Terminal Servers”

Puts an installed server into the “Terminal Servers” subgroup of the “Application Servers” group. You must use quotes for any groups that have spaces in their names.

Bypass ACS system check

You can bypass the Azure Code Signing (ACS) system check using the --bypassacscheck installer. Bypassing the ACS system check enables the installation of the software on an endpoint that doesn't have the required patches installed to support ACS.

This is only used when installing endpoint software from a fixed or long-term support warehouse containing old versions of Sophos Endpoint Defense (SED) and AMSI that don't require the ACS patches.

Language IDs

Language ID
English 1033
French 1036
German 1031
Japanese 1041
Spanish 1034
Italian 1040
Polish 1045
Brazilian Portuguese 1046
Korean 1042
Chinese Simplified (Mandarin) 2052
Chinese Traditional (Cantonese) 3076
Chinese Hong Kong 3076
Chinese Macau 3076
Chinese Singapore 2052