Microsoft Defender for Identity – How to manually remove a malfunctioning sensor that can’t be installed, uninstalled or removed

Last Updated on September 28, 2024 by Michael Morten Sonne

Introduction

Microsoft Defender for Identity (MDI) is designed to keep itself updated continuously, ensuring that the latest security features and fixes are always in place. This is nice in many cases, but only until it not works anymore 😉

In the ever-evolving landscape of cybersecurity, maintaining a clean and efficient environment is crucial. One of the tools that many organizations rely on is Microsoft Defender for Identity (MDI), which helps detect and investigate advanced threats, compromised identities, and malicious insider actions. However, there are times when you need to uninstall and clean up the MDI sensor installation, whether for troubleshooting, reinstallation, or migration purposes. This is where the script comes into play.

However, there are rare instances where this automated update process might encounter unexpected issues. I recently faced such a situation where the update process abruptly stopped on domain controllers in my lab in a part of some private preview (NDA stuff, can´t tell anything!)

My good friend and fellow Microsoft MVP Morten Knudsen has a blog post about this topic too: How to manually remove a malfunctioning MDI sensor, which cannot be removed through add/remove programs? – Blog by Morten Knudsen about Microsoft Security, Azure, M365 & Automation – however, this method was not effective in the newest versions, so I developed a new automated script to handle the task for you! 🤘

When Microsoft Defender for Identity (MDI) fails to update properly, the quickest way to resolve the problem is often to uninstall and reinstall the MDI sentor on the affected server (like most other applications too 😂).

Typically, this can be done through the standard Add/Remove Programs feature in Windows (Installed programs). However, there are cases where this process might not work as expected, leaving the application partially installed or in a corrupted state so you can´t install or uninstall it (event not with a new sensor installer downloaded from the Identities Settings – Microsoft Defender portal!) 😂

In such scenarios, manual removal of the MDI sensor becomes necessary to ensure a clean slate before reinstalling a new sensor on the server. The following method outlines the steps to manually remove the MDI sensor when standard methods fail.

I also attempted to “sniff” the changes made on the server during installation of the sensor, but this approach did not provide the complete picture, as the services also create residual files and settings scattered across the server 😂

I’m excited to announce the release of the first version of my MDI sensor removal script! This is just the beginning—there’s more to come, with additional features and improvements planned over time. Stay tuned for updates!

Some of the strange errors I got

  • Action start 17:15:47: UpgradeInitializeCustomAction.
    SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI6EE3.tmp-\
    SFXCA: Binding to CLR version v4.0.30319
    Calling custom action
    Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.UpgradeInitialize
    Exception thrown by custom action:
    System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.ArgumentNullException: Value cannot be null.
    Parameter name: path1
    at System.IO.Path.Combine(String path1, String path2)
    at Microsoft.Tri.Sensor.Deployment.Package.Actions.UpgradeInitializeActionGroup..ctor(Session session)
    at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.UpgradeInitialize(Session session)
    — End of inner exception stack trace —
    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor)
    at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object parameters, Object arguments)
    at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
    at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
  • Logs shows installed, but not all the files was in the installation path:
    Property(S): PrimaryVolumeSpaceRemaining = 0
    Property(S): INSTALLLEVEL = 1
    MSI (s) (B0:54) [17:16:01:411]: Note: 1: 1708
    MSI (s) (B0:54) [17:16:01:411]: Note: 1: 2205 2:  3: Error
    MSI (s) (B0:54) [17:16:01:411]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708
    MSI (s) (B0:54) [17:16:01:411]: Note: 1: 2205 2:  3: Error
    MSI (s) (B0:54) [17:16:01:411]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709
    MSI (s) (B0:54) [17:16:01:411]: Product: Azure Advanced Threat Protection Sensor — Installation failed.
    MSI (s) (B0:54) [17:16:01:411]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.239.18125.50420. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.
  • Could not uninstall the sensor via the uninstaller – just showing the install path of the service…:


  • Should not install the sensor from the installer downloaded from the Defender portal (The /force argument via install did not work from the commandline):
  • Another installation error:
    [1618:0458][2024-08-11T17:15:43]i301: Applying execute package: MsiPackage, action: Install, path: C:\ProgramData\Package Cache\{03D01771-ED1A-4DDA-A47C-2BF7A84FF32E}v2.239.18125.50420\Microsoft.Tri.Sensor.Deployment.Package.msi, arguments: ‘ ARPSYSTEMCOMPONENT=”1″ MSIFASTINSTALL=”7″ ACCESSKEY=”*****” DelayedUpdate=”” InstallationPath=”C:\Program Files\Azure Advanced Threat Protection Sensor” InstalledVersion=”” LogsPath=”” PROXYCONFIGURATION=”*****” WixBundleOriginalSourceFolder=”C:\Users\Administrator\Desktop\Azure ATP Sensor Setup (2)\”‘
    [1618:0458][2024-08-11T17:16:01]e000: Error 0x80070643: Failed to install MSI package.
    [1618:0458][2024-08-11T17:16:01]e000: Error 0x80070643: Failed to execute MSI package.
    [14A4:14A8][2024-08-11T17:16:01]e000: Error 0x80070643: Failed to configure per-machine MSI package.
    [14A4:14A8][2024-08-11T17:16:01]i000: 2024-08-11 15:16:01.4895 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]
    [14A4:14A8][2024-08-11T17:16:01]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None
    [14A4:14A8][2024-08-11T17:16:01]e000: Error 0x80070643: Failed to execute MSI package.
    [1618:0458][2024-08-11T17:16:01]i318: Skipped rollback of package: MsiPackage, action: Uninstall, already: Absent
    [14A4:14A8][2024-08-11T17:16:01]i319: Applied rollback package: MsiPackage, result: 0x0, restart: None

This was to mention some of the random errors I got when my sensor was broken after some testing 🙈

Status in Microsoft Defender Portal for a failed sensor

When a sensor in Microsoft Defender for Identity is not functioning properly, its status in the Defender portal can be a clear indicator of underlying issues. Typically, a failed sensor will be flagged with a warning or error icon. This visual cue is usually accompanied by a status message like “Not healthy,” or “Disconnected” (as the services can´t run) 🤗

Go to Microsoft Defender > Settings and under general select > Sensors to see the status of your sensors.

The sensor’s dashboard also displays additional details, such as the last time it communicated with the Defender service, potential error codes, or recommended actions to resolve the issue. These insights can help administrators quickly identify and address the root cause of the problem, ensuring that the sensor is restored to a healthy state and resumes its role in the organization’s security infrastructure.

Being aware of these status indicators in the Microsoft Defender portal is crucial for maintaining the overall security posture and ensuring that all sensors are actively contributing to threat detection and prevention 👌

How to get back on track

Why I created this script

The primary motivation behind creating the script was to adapt and to automate the process of removing the MDI sensor installation from a host. Manually performing this task can be tedious and error-prone, especially when dealing with multiple hosts and all the files/registery entried there are related. By automating the cleanup process, we can ensure that all remnants of the sensor installation are removed, paving the way for a fresh installation or system maintenance.

This is to manually remove a malfunctioning MDI sensor that can’t be installed, uninstalled or removed via add/remove programs, and is using PowerShell via an automated way to help you back on track! 🤘

See the script is hosted on my public repo here: https://github.com/michaelmsonne/public

What does the script do?

The script is designed to perform a comprehensive cleanup of the MDI sensor installation. Here’s a detailed breakdown of its functionalities:

  • Warning banner: Before proceeding with the removal, the script will display a warning banner to inform the user of the actions being taken and it’s not possible to cancel.
  • Disable, stop, and remove services: The script will identify and manage the services associated with the MDI sensor, ensuring they are disabled, stopped, and removed from the system.
  • Stop running processes: Any proces related to the MDI sensor will be terminated to prevent conflicts during the cleanup.
  • Remove named pipes: The script will identify and remove any named pipes that were created by the MDI sensor.
  • Uninstall NPCAP: NPCAP, a packet capture library often used by the MDI sensor, will be uninstalled.
  • Remove Installation folders and files: All folders and files associated with the MDI sensor installation will be deleted.
  • Remove Registry Keys: The script will clean up the registry by removing keys related to the MDI sensor.
  • Remove ATP Certificate(s): Any ATP (Advanced Threat Protection) certificates installed by the MDI sensor will be removed.

How to use the script

Using the script is straightforward. Here are the steps to follow:

  • Follow the prompts: The script will display a warning banner. Confirm to proceed with the cleanup.
  • Download the script: Ensure you have the latest version of the script.
  • Open PowerShell: Launch PowerShell with administrative privileges.
  • Run the Script: Execute the script by navigating to its directory and running the following command: .\Clear-MDISensorInstallation.ps1

Remove the installed sensor

To start removal of the MDI sensor, perfom this:

  • Open PowerShell: Launch PowerShell with administrative privileges.
  • Run the script: Execute the script by navigating to its directory and run the following command: .\Clear-MDISensorInstallation.ps1
    • If you want to run the script in debug mode for verbose output, use the -Debug switch: .\Clear-MDISensorInstallation.ps1 -Debug

A small video snippet of removal of a sensor:

After this part, the services should be gone, and files and registery keys too – ready for a new and fresh install! 😎

If the sensor is allready removed

If the sensor is allready uninstalled and or some parts that can’t be found, the output you will get is similar to this:

Getting back on track with a new sensor install

Once the cleanup is complete, you can proceed with installing a new MDI sensor. Here’s a quick guide:

By using the script, you can ensure a clean slate for your new MDI sensor installation, minimizing potential issues and conflicts.

Final cleanup

Clean up the old sensor(s) in the Identities Settings – Microsoft Defender portal to remove duplicates. When you install a new sensor, it creates a new entry in the sensor overview section of your Defender portal. By removing the old or duplicate entries, you ensure that your sensor overview remains accurate and up-to-date.

Go to Microsoft Defender > Settings and under general select > Sensors. Then mark the old sensor you will remove, and select Delete:

Conclusion

In summary, removing a malfunctioning sensor from Microsoft Defender for Identity can be challenging, especially when traditional methods like Add/Remove Programs fall short. This blog post provides a detailed approach to manually clean up such sensors using an automated PowerShell script.

Automating the cleanup of the MDI sensor installation with the script not only saves time but also ensures a thorough and error-free process. Whether you are troubleshooting, migrating or simply performing maintenance, this script is an valuable tool in your cybersecurity toolkit.

We explored how to address issues when standard installation/uninstallation processes fail, leveraging insights into sensor locations and registry/file changes. Despite initial attempts to track changes via “sniffing” the installation process, it became clear that residual files and settings were left behind, necessitating a more comprehensive solution.

Special thanks to Martin Schvartzman from Microsoft for his valuable guidance, which was instrumental in crafting this automated script and assistance in addressing the issues i encoutered in my lab. His expertise and insights into the sensor and registry/file locations were crucial in developing this automated PowerShell clean-up process for the community.

I will also send my gratitude Microsoft MVP mate Raymond Roethof, thalpius (github.com) for his insigts to vertify that I got all the parts removed too – as there is a lot around there on the server! 🤣

This solution should streamline the clean-up process and restore your system’s integrity, ensuring that any lingering issues are effectively resolved.

Thank you for taking the time to visit my blog. Kindly share it with others if it also could be helpful for them! 😉🔐👍

Remember you can allways support me and my development of tools and creating of content and so via Why donate? – Blog – Sonne´s Cloud (sonnes.cloud)

Stay tuned for the new post about something cool! 🥳

References

michaelmsonne/public – (github.com)

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Previous Article

Introducing Azure DevOps Backup Tool 1.1.0.0: Major update with new features, bug fixes and enhanced security!

Next Article

Microsoft Defender for Identity - Expands support to servers with Microsoft Entra Connect

Related Posts

Discover more from Sonne´s Cloud

Subscribe now to keep reading and get access to my free newsletter 🤝🧑‍💻

Join 37 other subscribers

There is options to pay for some content too, as not all can/is free for all - see more on my website

By signing up, you acknowledge the data practices in our Privacy Policy.