Microsoft Defender for Identity (MDI) has a built-in process that handles continues updates.
I had a situation, where this process halted unexpectable on some domain controllers – caused by a cluster issue inside Microsoft MDI infrastructure.
A quick resolution is to remove the MDI application on the server, but in case this cannot be done through the add/remove programs, you can manually clean-up the application using the below method.
Thank you to Martin Schwartzman, Microsoft for providing the insight.
Uninstall
Try running command line setup uninstall from ProgramData\PackageCache folder
Ex. C:\ProgramData\Package Cache\ {########-####-####-####-############} [The GUID will be different for each machine/install.]
“Azure ATP Sensor Setup.exe” /uninstall
Services
To remove Services leftover from a previous install, run from an elevated prompt:
sc.exe delete aatpsensor
sc.exe delete aatpsensorupdater
Manual removal
Verify Sensor & Sensor.Updater services no longer exist
Verify Program Folder no longer exists : C:\Program Files\Azure Advanced Threat Protection Sensor
Rename ProgramData\PackageCache{GUID} folder for the sensor cache
Check Install registry keys [GUID will need to be found/recorded while investigating the machine]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\ {GUID} : Azure Advanced Threat Protection Sensor
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\ {GUID}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ {GUID}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ {GUID}
Latest:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies
DisplayName : Azure Advanced Threat Protection Sensor
Thanks! it worked!!
So glad it worked for you 👏
This helped me out as well, un an old server 2016 VM. Thanks for listing all the regedits.
great to hear Jonas 🙂
Life saver
Works like a charm! Thanks, just what I needed.
Do i need to delete all the registry entries mentioned above?
yes you need to delete the registry entries, it is working perfectly.
fully agree !