{"id":258,"date":"2022-12-23T23:51:33","date_gmt":"2022-12-23T22:51:33","guid":{"rendered":"https:\/\/mortenknudsen.net\/?p=258"},"modified":"2022-12-27T23:00:40","modified_gmt":"2022-12-27T22:00:40","slug":"how-to-remove-a-malfunctioning-mdi-sensor-which-cannot-be-removed-through-add-remove-programs","status":"publish","type":"post","link":"https:\/\/mortenknudsen.net\/?p=258","title":{"rendered":"How to manually remove a malfunctioning MDI sensor, which cannot be removed through add\/remove programs?"},"content":{"rendered":"\n

<\/p>\n\n\n\n

Microsoft Defender for Identity (MDI) has a built-in process that handles continues updates.<\/p>\n\n\n\n

I had a situation, where this process halted unexpectable on some domain controllers – caused by a cluster issue inside Microsoft MDI infrastructure.<\/p>\n\n\n\n

A quick resolution is to remove the MDI application on the server, but in case this cannot be done through the add\/remove programs, you can manually clean-up the application using the below method. <\/p>\n\n\n\n

Thank you to Martin Schwartzman, Microsoft for providing the insight.<\/p>\n\n\n\n

Uninstall<\/strong><\/strong><\/p>\n\n\n\n

Try running command line setup uninstall from ProgramData\\PackageCache folder<\/p>\n\n\n\n

Ex. C:\\ProgramData\\Package Cache\\ {########-####-####-####-############} [The GUID will be different for each machine\/install.]<\/p>\n\n\n\n

“Azure ATP Sensor Setup.exe” \/uninstall<\/p>\n\n\n\n

<\/p>\n\n\n\n

Services<\/strong><\/p>\n\n\n\n

To remove Services leftover from a previous install, run from an elevated prompt:<\/p>\n\n\n\n

sc.exe delete aatpsensor<\/p>\n\n\n\n

sc.exe delete aatpsensorupdater<\/p>\n\n\n\n

<\/p>\n\n\n\n

Manual removal<\/strong><\/p>\n\n\n\n

Verify Sensor & Sensor.Updater services no longer exist<\/p>\n\n\n\n

Verify Program Folder no longer exists : C:\\Program Files\\Azure Advanced Threat Protection Sensor<\/p>\n\n\n\n

Rename ProgramData\\PackageCache{GUID} folder for the sensor cache<\/p>\n\n\n\n

Check Install registry keys [GUID will need to be found\/recorded while investigating the machine]<\/p>\n\n\n\n

HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Products\\ {GUID} : Azure Advanced Threat Protection Sensor<\/p>\n\n\n\n

HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Features\\ {GUID}<\/p>\n\n\n\n

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ {GUID}<\/p>\n\n\n\n

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products<\/p>\n\n\n\n

HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ {GUID}<\/p>\n\n\n\n

Latest:<\/p>\n\n\n\n

HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Dependencies<\/p>\n\n\n\n

DisplayName : Azure Advanced Threat Protection Sensor<\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft Defender for Identity (MDI) has a built-in process that handles continues updates. I had a situation, where this process … <\/p>\n

Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"ngg_post_thumbnail":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[38,56],"tags":[39,35,95,36,37],"class_list":["post-258","post","type-post","status-publish","format-standard","hentry","category-defender-for-identity","category-m365-security","tag-cleanup","tag-defender-for-identity","tag-defenderforidentity","tag-mdi","tag-remove-agent","infinite-scroll-item"],"featured_image_src":null,"author_info":{"display_name":"Morten Knudsen","author_link":"https:\/\/mortenknudsen.net\/?author=1"},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts\/258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=258"}],"version-history":[{"count":4,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts\/258\/revisions"}],"predecessor-version":[{"id":318,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts\/258\/revisions\/318"}],"wp:attachment":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}