Differs from policy - Sophos AutoUpdate policy

  • Article ID: 113068
  • Rating:
  • 1 customers rated this article 3.0 out of 6
  • Updated: 21 Jul 2014


One or more clients report their status to the Sophos Enterprise Console as "differs from policy", under the "Updating Details" tab | "Updating policy" column.

First seen in

Enterprise Console


There are a variety of reasons for this. To locate the cause work through the What To Do section below in order.

What To Do

Confirm the client has recently reported to the console

Initially it is important to confirm the client has sent a message to the Sophos management server recently.  If the client has not reported to the console recently then the warning message may not be accurate.

  1. Right-click the computer in the console.
  2. Select "View Computer Details".
  3. In the computer details windows locate the line "Last message received from computer".
  4. If the client is switched on and connected to the network ensure the date and time is within the last 30 minutes.  If the date and/ or time is outside of this period you should look to troubleshoot why the client is not reporting to the console.

Force the client to comply

If the server has received a recent message from the client then you attempt to force a comply to the client.  This will undo any local changes an administrator may have made to the client's configuration.

  1. Ensure that the client(s) are shown as connected in the console.   To do this: From the "View:" drop down box select "Connected computers".
  2. Right-click the client and select "Comply with" | "Group Updating Policy".

Warning: Forcing a comply for disconnected clients will generate message build-up in the management server's envelopes folder as these messages cannot be sent to offline clients.

Check the updating policy does not contain white space characters

 There is a known issue whereby introducing an extra space (white character) into the username field of the updating policy can cause the policy to differ.

  1. Open the updating policy associated with the group of computers that are reporting as differing.
  2. On the "Primary Server" tab re-enter the account used for updating in the "Username" field and ensure there are no white spaces at the beginning or end of the string.
  3. Repeat step two for the "Secondary Server" tab.
  4. Click OK to save the policy change.
  5. Force a comply - see section above.

Reboot the client

Occasionally the client may have trouble complying the current configuration until it has been rebooted.  If you have not already done so, reboot a client and wait for the client to report (see Confirm the client has recently reported to the console above).

Check the distribution point for a custom configuration file

  1. Browse to the 'SAU' sub-folder in the distribution point the client is currently updating from (i.e. \\servername\SophosUpdate\Sxxx\SAVSCFXP\sau\).
  2. Check if there is a 'sauconf.xml' file present.  If the file is present, and the custom configuration it contains is no longer required, you should delete this file and use ConfigCID.exe to update the share.  For more information on using the ConfigCID.exe tool see: Enterprise Console: using ConfigCID.exe to implement XML configuration file changes

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent