Forum Discussion

Noel Fairclough's avatar
Noel Fairclough
Brass Contributor
Aug 28, 2018

Manually uninstall the Azure ATP sensor

Hi all, Just looking for a bit of guidance on the following.   Deploying the Azure ATP sensor to all our domain controllers, we've had one installation fail.  Looking in Programs and Features it i...
Noel Fairclough's avatar
Noel Fairclough
Brass Contributor
Aug 29, 2018

Thanks Eli!

Your suggestion did help and it got me going in the right path.

 

This ended up being relatively straight forward so here are the steps I took if anybody has this in the future.

 

1. On the domain controller where the ATP Sensor had failed, I searched the registry for "Azure Advanced" (without the quotes), and deleted all keys and subkeys where this was found.   I just made sure it was referencing the sensor.  There were several keys that needed to be deleted from HKCR and HKLM.   Just to be sure to be sure....make a backup of the registry before you delete the keys.

 

2. I deleted the folder C:\Program Files\Azure Advanced Threat Protection Sensor

 

3. Manually re-installing the sensor worked and it is reporting as expected in the portal.   

 

Note: I had to manually delete the old (failed) sensor entry from the portal.

 

Hopefully this will help someone else out.

csmmajors's avatar
csmmajors
Copper Contributor
Jun 06, 2024

I was able to complete the uninstall doing this as well, but first I had to navigate to C:\Program Files\Azure Advanced Threat Protection Sensor\2.235.17900.47908 - and go back to the add and remove programs and uninstall, this was done after a reboot and restoring the Azure Advanced Threat protection folder from Recycle Bin.

 

One other thing I found out from from Eli's eariler post is you can find your version of the Tri Sensor in the logs located: C:\Users\*username*\AppData\Local\Temp under the Microsoft.Tri.Sensor. Log

Resources