SOLVED

Removing McAfee live safe via intune

Steel Contributor

Hi all, 

 

Was wondering if someone can help! I have enrolled devices and all have mcafee live safe trial on which  I need to remove, as I have given these devices back to users, fresh start isnt possible. I have found this: https://christianlehrer.com/?p=359 if I run the command ".\Mccleanup.exe -p StopServices,MFSY,PEF,MXD,CSP,Sustainability,MOCP,MFP,APPSTATS,Auth,EMproxy,FWdiver,HW,MAS,MAT,MBK,MCPR,McProxy,McSvcHost,VUL,MHN,MNA,MOBK,MPFP,MPFPCU,MPS,SHRED,MPSCU,MQC,MQCCU,MSAD,MSHR,MSK,MSKCU,MWL,NMC,RedirSvc,VS,REMEDIATION,MSC,YAP,TRUEKEY,LAM,PCB,Symlink,SafeConnect,MGS,WMIRemover,RESIDUE -v -s" locally it works but once i follow the intune way of doing it I cant get it to work! 

 

Does anyone know how I can wrap the uninstall exe and a powershell script correctly to remove mcafee live safe or another way I can do this but has to be remote via intune.

 

Thanks in advance!

9 Replies
HI,

You will need to create a win32 app. You can do this by using the intunewinapputil tool

https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare

1.Create a folder and copy the mccleanup.exe to that folder.
2.Create a powershell script with the command in it you mentioned.
3.Make sure you get your install command and file requirement right in intune.
Hi,

in the link i shared the person uses "%~dp0Mccleanup.exe -p StopServices,MFSY,PEF,MXD,CSP,Sustainability,MOCP,MFP,APPSTATS,Auth,EMproxy,FWdiver,HW,MAS,MAT,MBK,MCPR,McProxy,McSvcHost,VUL,MHN,MNA,MOBK,MPFP,MPFPCU,MPS,SHRED,MPSCU,MQC,MQCCU,MSAD,MSHR,MSK,MSKCU,MWL,NMC,RedirSvc,VS,REMEDIATION,MSC,YAP,TRUEKEY,LAM,PCB,Symlink,SafeConnect,MGS,WMIRemover,RESIDUE -v -s" for the .bat why would %~dp0 be needed? I try running this on the device which has mcafee live safe on and this doesnt work so I would assume this wouldnt work once put in intune?

Would the install/uninstall command be the name of the .bat too? for instance Slient_uninstall.bat

If the .exe is inside that folder you could create a simple powershell script with these contents in it:
.\Mccleanup.exe -p and the other stuff :)

Create a win32app and select the instalscript as setup

Your install command in intune would be powershell.exe -executionpolicy bypass -command ".\installscripts.ps1"

Maybe before you create the intunewin file, test it out on a device before you upload it
I will test the locally first before upload! thank you. If this does work locally for upload for intune what would the uninstall command be? and the detection rule? Any ideas?
best response confirmed by AB21805 (Steel Contributor)
Solution
You could "fake" the uninstall command as it is not required, just enter uninstall.cmd

As detection rule you could add an extra command to the install script to create an additional file something like this:

New-Item -Path "c:\" -Name "temp" -ItemType "directory" -force
$path = "c:\temp"
New-Item -path $path -name "removeav.txt" -ItemType file -force
So the detection rule would be c:\temp (if I used temp as the folder like in your example? )
Hi AB21805. did you get it to work? Check the blog again..it has an update ;)

Here's what I did:

step 1: IntuneWinAppUtil.exe -c C:\temp\RemoveMcAfee\MCPR -s mccleanup.exe -o C:\temp\RemoveMcAfee\McAfeeSilentUninstall

I'm wrapping the complete MCPR folder which also includes Silent_uninstall.bat as documented in the blog above.

STEP 2: Upload mccleanup.intunewin to Intune
install and uninstall command are Silent_uninstall.bat
You need to add an extra requirement rule for installation: I added the reg key as documented
I also added the custom detection rule. Also a reg key
Wait for it to install and remove McAfee. This can take a while. For me when testing it uninstalled McAfee completely after about an hour.
Reboot and Windows Defender takes over again.

Hope this helps..

@Oktay SariDuda las reglas de requerimiento y reglas de deteccion siguen siendo  HKEY_LOCAL_MACHINE \SOFTWARE\McAfee ? Y cual es la clave de registro que mencionas? Gracias.

found this script for removal of Winrar and wondered if it could be adapted to discovery/remediation script for McAfee will look into it as must admit not some Powershell wiz so hopefully let you all know soon enough.

 

#region Functions
Function Get-InstalledApp($Target) {
$Apps = @()
 
$Apps += Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall  |
   Get-ItemProperty | Where-Object {$_.DisplayName -like "*$Target*" } | Select-Object -Property DisplayName, UninstallString
   
#If 64-bit OS, then search Wow6432Node Uninstall as well
If ($(Get-WmiObject Win32_OperatingSystem).OSArchitecture -eq "64-bit") {
$Apps += Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallUninstall  |
   Get-ItemProperty | Where-Object {$_.DisplayName -like "*$Target*" } | Select-Object -Property DisplayName, UninstallString
}
 
$Apps
}
#endregion Functions
 
#region Main
 
Write-Output "Getting uninstall string for 'WinRAR'"
$WinRAR = Get-InstalledApp("WinRAR")
 
if ($WinRAR -ne $null) {
Write-Output "WinRAR Found.  Uninstalling"
 
ForEach ($item in $WinRAR) {
 
Write-Output "Removing $($item.DisplayName) via $($item.UninstallString)"
 
If ($item.UninstallString) {
 
$uninst = $item.UninstallString
 
Write-Output "Running $uninst"
Start-Process $uninst -ArgumentList "/S" -NoNewWindow
 
$Timeout = 0
$MaxWait = 10 # Wait up to 5 minutes for the application to uninstall
 
While (($ChkWinRAR -ne $null) -and ($Timeout -lt $MaxWait)) { 
Start-Sleep -Seconds 30
$Timeout++
 
$ChkWinRAR = Get-InstalledApp("WinRAR")
}
 
If ($ChkWinRAR -eq $null) {
Write-Output "WinRAR removed"
} else {
Write-Output "ERROR: WinRAR not successfully removed."
}
}
}
} else {
Write-Output "WinRAR not present.  Nothing to do."
}
#endregion Main
1 best response

Accepted Solutions
best response confirmed by AB21805 (Steel Contributor)
Solution
You could "fake" the uninstall command as it is not required, just enter uninstall.cmd

As detection rule you could add an extra command to the install script to create an additional file something like this:

New-Item -Path "c:\" -Name "temp" -ItemType "directory" -force
$path = "c:\temp"
New-Item -path $path -name "removeav.txt" -ItemType file -force

View solution in original post