How to manually remove a malfunctioning MDI sensor, which cannot be removed through add/remove programs?

Microsoft Defender for Identity (MDI) has a built-in process that handles continues updates.

I had a situation, where this process halted unexpectable on some domain controllers – caused by a cluster issue inside Microsoft MDI infrastructure.

A quick resolution is to remove the MDI application on the server, but in case this cannot be done through the add/remove programs, you can manually clean-up the application using the below method.

Thank you to Martin Schwartzman, Microsoft for providing the insight.

Uninstall

Try running command line setup uninstall from ProgramData\PackageCache folder

Ex. C:\ProgramData\Package Cache\ {########-####-####-####-############} [The GUID will be different for each machine/install.]

“Azure ATP Sensor Setup.exe” /uninstall

Services

To remove Services leftover from a previous install, run from an elevated prompt:

sc.exe delete aatpsensor

sc.exe delete aatpsensorupdater

Manual removal

Verify Sensor & Sensor.Updater services no longer exist

Verify Program Folder no longer exists : C:\Program Files\Azure Advanced Threat Protection Sensor

Rename ProgramData\PackageCache{GUID} folder for the sensor cache

Check Install registry keys [GUID will need to be found/recorded while investigating the machine]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\ {GUID} : Azure Advanced Threat Protection Sensor

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\ {GUID}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ {GUID}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ {GUID}

Latest:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies

DisplayName : Azure Advanced Threat Protection Sensor

5 thoughts on “How to manually remove a malfunctioning MDI sensor, which cannot be removed through add/remove programs?”

  1. This helped me out as well, un an old server 2016 VM. Thanks for listing all the regedits.

    Reply

Leave a Reply