Share via

How to fully Uninstall/Clean-up Microsoft Defender Endpoint

Dan Beeney 0 Reputation points
2024-06-27T13:23:57.6933333+00:00

Hello,

We are having issues trying to use a migration tool to move our devices to another Microsoft tenant. It seems to be struggling gaining access and deleting a regkey that is link to a service for MDE. The tool is running and using the system account, we are also local admins and unable to delete/remove manually.

We have used the offboarding script but only seems to disconnect the device from the MDE portal. This doesn't uninstall or clean-up MDE from device. All of the software, services or regkeys still remain. Is there a uninstall or clean-up tool please to help fully remove Microsoft Defender Endpoint??

Thanks,
Dan

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,402 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,184 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
210 questions
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
44 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 19,761 Reputation points Microsoft Employee
    2024-06-28T09:31:48.5866667+00:00

    @Dan Beeney

    Thank you for posting this in Microsoft Q&A.

    As I understand you need assistance in uninstalling Microsoft Defender for endpoint.

    I see that you have also posted this issue on tech community platform. There is an answer posted on the tech community thread with detailed steps on how to uninstall MDE.

    https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-do-you-fully-uninstall-clean-up-microsoft-defender-endpoint/m-p/4177365

    To fully uninstall and clean up Microsoft Defender Endpoint (MDE) from your devices, you need to follow a comprehensive process that involves stopping services, removing registry keys, and uninstalling associated components. Here’s a detailed guide to help you achieve this.

     Step-by-Step Guide to Fully Uninstall/Clean-up Microsoft Defender Endpoint.

    Stop Microsoft Defender Services

    • Open PowerShell as Administrator
    • Copy code Stop-Service -Name "Sense" -Force Stop-Service -Name "windefend" -Force Stop-Service -Name "WdNisSvc" -Force

    Disable the Services:

    • Open PowerShell as Administrator
    • Set-Service -Name "Sense" -StartupType Disabled Set-Service -Name "windefend" -StartupType Disabled Set-Service -Name "WdNisSvc" -StartupType Disabled

    Uninstall Microsoft Defender Endpoint Components: Uninstall using PowerShell

    • First uninstall Windows Security app
    • Open PowerShell as Administrator
    • Copy code Get-AppxPackage Microsoft.SecHealthUI | Remove-AppxPackage
    • Uninstall Microsoft Defender Antivirus
    • Open PowerShell as Administrator
    • Copy code Uninstall-WindowsFeature -Name Windows-Defender-Features
    • Remove Defender for Endpoint Using Windows Installer:
    • Open PowerShell as Administrator
    • Copy code msiexec /x {ProductCode} /qn /norestart

    Note: Replace {ProductCode} with the actual product code for Microsoft Defender Endpoint. You can find this in the registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Now you will have to remove the registry keys:

    • Open PowerShell as Administrator
    • Copy code Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MDCoreSvc" -Recurse -Force Remove-Item -Path "HKLM:\SYSTEM\ControlSet001\Services\MDCoreSvc" -Recurse -Force

    Next step is to offboarding script again and this is optional

    If you have not already, you can run the offboarding script provided by Microsoft to ensure the device is disconnected from the MDE portal.

    Now next steps is to clean Up Residual Files and Folders

    • Delete Microsoft Defender Folders:
    • Open PowerShell as Administrator
    • Copy code Remove-Item -Path "C:\Program Files\Windows Defender" -Recurse -Force Remove-Item -Path "C:\ProgramData\Microsoft\Windows Defender" -Recurse -Force

    Now reboot the device

    Reboot the device to ensure all changes take effect and to complete the cleanup process.

    Additional Considerations

    Permissions:

    • Ensure you have sufficient permissions to perform these operations, especially when manipulating services and registry keys.
      • If the system account or local admins are unable to remove certain keys or services, you might need to boot into Safe Mode to perform these actions.
      Group Policy: 
      - Verify that there are no Group Policies that might be re-enabling or protecting Microsoft Defender services or components.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Blake Morrison 5 Reputation points Microsoft Employee
    2024-10-31T18:02:07.0866667+00:00

    Most, if not all of these steps are NOT SUPPORTED by Microsoft Support. Nor are they recommended. Doing so could put your system in a state where Defender/MDE/EDR cannot be re-activiated.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.