After re-protecting clients, the hour glass remains on the clients.
Sophos product and version
Sophos Anti-Virus for Windows
c:\program files\sophos\remote management system\mrinit.conf.orig retains the old certificates.
This occurs if the client is installed when there is a mrinit.conf file in the RMS folder of the CID (Central installation Directory), e.g. ESXP\RMS\mrinit.conf. The client uses the .orig file instead of any new files from the CID location ESXP\mrinit.
What to do
Delete the .orig file and re-protect the client. This should allow the new mrinit.conf file from the CID to be used.