Skip to main content

Hello, are there any caveats while uninstalling EPM windows components ? We have installed the Package Manager via SCCM which further installed the agent and adapter . On some of the computers we are not able to un-install these components from Add/Remove programs as well as CMD/PS using msiexec and GUID. user account in local admin group is being used to run these programs as admin. No agent protection is configured. Order of removal is PM agent. Adapter and then Package Manager . Tried deleting computer from EPM console before above steps as well. On some computers PM agent removal asks to close other open apps such as notepad. excel etc

 

Adapter Version: 24.6.714.0
Client Version: 24.5.361.0
Package Manager Version: 24.6.697

Hi,

what kind of message did you get when you elevated the cmd/PowerShell to uninstall the agent a Windows UAC message or a message from the EPM agent? If you get a message from the EPM Agent the uninstall won’t work due to the Tamper Protection.

If you want to get a Windows UAC prompt for the local admin user you can do the following:

  • Shift + right click PowerShell → Run as other user
  • Use the local admin account
  • Type: start-process powershell -verb runas
  • The Windows UAC prompt should appear and in the now open PowerShell Administrator Window you should be able to uninstall the agents. 

The removal of the agent shows the message to close certain apps because the Agent dll is loaded within the process stack. It should be safe to ignore these warnings if you reboot the device after uninstalling the agents.

 

I hope that helps.


no doubt that anti tamper is the cause, but be aware if you have policies that apply to administrators also, Anti-Tamper could also target and Admin. The solution from SasStu is also valid, but the below is simple for use going forward.

Create a separate group and blank policy, and that will give you normal UAC behavior just by moving the client computer from Group A to B. Also you could disable the Agent protection in that policy.


Hey @bt101 , in order to uninstall the components related to BeyondTrust EPM , you should have a proper local admin account then only you should be able to uninstall these components . 

 

One hint if i go for manual uninstallation , mostly when i get a local admin access over a user’s machine , and when i open CMD or powershell as admin i get this path which i got a indication of local admin access over the user’s machine :

 

 


I would get the uninstall strings the client, adapter and Package manager.

you can find that here: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Privilege Management for Windows (x64)
BeyondTrust Privilege Management Package Manager (x64)
BeyondTrust Privilege Management Cloud Adapter (x64)

From here you can grab the uninstall strings
add them to SCCM and your silent switches and you can push a remote uninstall from SCCM. /qn /norestart. make sure it run in context of system.

Note: the GUI for each client and version is different.


This is very likely to be caused by the Ant-Tamper feature, check the current policy configuration, if needed either disable this or create a new policy and disable the ant-tamper then add those machines that you wish to uninstall agent to this policy. 


Reply