Forum Discussion
Manually uninstall the Azure ATP sensor
MicrosoftCan you grab the deployment logs before you close the error window?
Also, you might be able to clean things up with this tool:
It is known to sometimes help before for similar situations.
What exact version of AATP sensor is it?
Thanks Eli!
Your suggestion did help and it got me going in the right path.
This ended up being relatively straight forward so here are the steps I took if anybody has this in the future.
1. On the domain controller where the ATP Sensor had failed, I searched the registry for "Azure Advanced" (without the quotes), and deleted all keys and subkeys where this was found. I just made sure it was referencing the sensor. There were several keys that needed to be deleted from HKCR and HKLM. Just to be sure to be sure....make a backup of the registry before you delete the keys.
2. I deleted the folder C:\Program Files\Azure Advanced Threat Protection Sensor
3. Manually re-installing the sensor worked and it is reporting as expected in the portal.
Note: I had to manually delete the old (failed) sensor entry from the portal.
Hopefully this will help someone else out.
I was able to complete the uninstall doing this as well, but first I had to navigate to C:\Program Files\Azure Advanced Threat Protection Sensor\2.235.17900.47908 - and go back to the add and remove programs and uninstall, this was done after a reboot and restoring the Azure Advanced Threat protection folder from Recycle Bin.
One other thing I found out from from Eli's eariler post is you can find your version of the Tri Sensor in the logs located: C:\Users\*username*\AppData\Local\Temp under the Microsoft.Tri.Sensor. Log
- This was very helpful thank you.
