Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for alternate detection method of unfired solution.
- If we navigate to the prerequisites of this document, it says "Down-level OS devices in your environment onboarded with Microsoft Monitoring Agent. To confirm, verify that
MsSenseS.exe
is running in Task Manager." so that is the reason why you would see the registry key. - While creating the package in step 8 you must have used the following PowerShell command as "installation program" which have -RemoveMMA <workspace ID>
Powershell.exe -ExecutionPolicy ByPass -File install.ps1 -RemoveMMA <workspace ID> -OnboardingScript .\WindowsDefenderATPOnboardingScript.cmd
- If above command is executed successfully, this should remove the MMA agent provided workspace ID is correct and onboard the unified agent as a result the registry should be re written.
- Additionally you could check the following:
- Run Get-MpComputerStatus in PowerShell and validate AntivirusSignatureAge
AntivirusSignatureLastUpdated both the parameters should refer to the date you ran the package.
- You may check in control panel and see if workspace ID still exist for MMA.
Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for alternate detection method of unfired solution.
- If we navigate to the prerequisites of this document, it says "Down-level OS devices in your environment onboarded with Microsoft Monitoring Agent. To confirm, verify that
MsSenseS.exe
is running in Task Manager." so that is the reason why you would see the registry key. - While creating the package in step 8 you must have used the following PowerShell command as "installation program" which have -RemoveMMA <workspace ID>
Powershell.exe -ExecutionPolicy ByPass -File install.ps1 -RemoveMMA <workspace ID> -OnboardingScript .\WindowsDefenderATPOnboardingScript.cmd
- If above command is executed successfully, this should remove the MMA agent provided workspace ID is correct and onboard the unified agent as a result the registry should be re written.
- Additionally you could check the following:
- Run Get-MpComputerStatus in PowerShell and validate AntivirusSignatureAge
AntivirusSignatureLastUpdated both the parameters should refer to the date you ran the package.
- You may check in control panel and see if workspace ID still exist for MMA.
If you don't see the expected results, then kindly post the query on Microsoft Defender for Endpoint Tech Community which is a dedicated channel.
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik