Forum Discussion
Manually uninstall the Azure ATP sensor
Hi all,
Just looking for a bit of guidance on the following.
Deploying the Azure ATP sensor to all our domain controllers, we've had one installation fail. Looking in Programs and Features it is listed as being installed, however there is no Azure ATP sensor service on the domain controller. Azure ATP is reporting the sensor stopped communicating.
When trying to uninstall the Azure ATP sensor from Programs and Features, the uninstallation doesn't even start and the error is "Object reference not set to an instance of an object".
When trying to uninstall via command line "Azure ATP Sensor Setup.exe /uninstall" the error is "Product is not installed".
The program is registered in the Uninstall registry, so when trying to uninstall via "msiexec /x {guid}" - it says to verify the package exists.
Trying to reinstall the Azure ATP Sensor says "Azure Advanced Threat Protection Sensor 2.0.0.0 is already installed."
I believe if I can manually uninstall it (delete files and associated registry entries) and try to reinstall it again it should be fine. The original installation was pushed out via SCCM, so I'm not sure what happened during the install (if the server rebooted in the middle or what).
Can someone shed some light on the reg settings etc I need to delete? Or if there is a way I can "force" a reinstall?
Thanks,
Noel.
16 Replies
Noel Fairclough
If anyone gets this half installed and cannot continue the install or uninstall, there is a reg entry you can change to recover with. It will no longer think its installed.
The ending package ID in your case is probably different fyi.
Change the installed entry from 1 to 0
End the running task ATP Identity sensor in task manager and try the installer again.
Hope this helps 🙂- EliOfek
Microsoft
Can you grab the deployment logs before you close the error window?
Also, you might be able to clean things up with this tool:
It is known to sometimes help before for similar situations.
What exact version of AATP sensor is it?
Thanks Eli!
Your suggestion did help and it got me going in the right path.
This ended up being relatively straight forward so here are the steps I took if anybody has this in the future.
1. On the domain controller where the ATP Sensor had failed, I searched the registry for "Azure Advanced" (without the quotes), and deleted all keys and subkeys where this was found. I just made sure it was referencing the sensor. There were several keys that needed to be deleted from HKCR and HKLM. Just to be sure to be sure....make a backup of the registry before you delete the keys.
2. I deleted the folder C:\Program Files\Azure Advanced Threat Protection Sensor
3. Manually re-installing the sensor worked and it is reporting as expected in the portal.
Note: I had to manually delete the old (failed) sensor entry from the portal.
Hopefully this will help someone else out.
I was able to complete the uninstall doing this as well, but first I had to navigate to C:\Program Files\Azure Advanced Threat Protection Sensor\2.235.17900.47908 - and go back to the add and remove programs and uninstall, this was done after a reboot and restoring the Azure Advanced Threat protection folder from Recycle Bin.
One other thing I found out from from Eli's eariler post is you can find your version of the Tri Sensor in the logs located: C:\Users\*username*\AppData\Local\Temp under the Microsoft.Tri.Sensor. Log
