Scripted removal of EMSS agent

Version 4

    It is possible to remove the EMSS agent via an agent management job as per Uninstalling Agents by Agent Management Job

    Should this process fail, or in the case where there are endpoints not accessible by the console, it is also possible to remove the agents programatically.

     

    When an agent removal is invoked via an engine management job, the following sequence occurs:

     

    Uninstall string is retrieved from the registry:

     

    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Lumension\LMAgent
    • Value: UninstallString

     

    The Uninstall string contains the path to the uninstaller.

     

    This is then used in a cmd.exe call to silently uninstall the agent from the endpoint.

     

    A typical example of this command would look like:

     

    cmd.exe /C "C:\Program Files\HEAT Software\EMSSAgent\Live\lmuninstall.exe" GLOBALUNINSTALLPASSWORD

     

    Where 'GLOBALUNINSTALLPASSWORD' is the agent uninstall password defined in agent hardening. To retrieve this, please review the following article:

     

    Viewing the Agent Uninstall Password

     

    The above cmd.exe command can be invoked by other platforms to clean up the agent, but please be aware of the following considerations:

     

    - If the agent has been installed to a different non-standard path, the string will need to be adjusted to cater for this (the location can be derived from the uninstallstring as mentioned above)

    - The globaluninstallpassword is only needed if agent hardening is enabled (it is on by default). If it is not enabled, simply omit this field

    - There is no final message if the uninstall was successful - the lmuninstall.exe app exits silently.

     

     

    Using Patch for Windows to remove EMSS agent

     

    If migrating from EMSS to Patch for Windows, limitations in the EMSS agent management job scheduling (it relies on endpoints being online at that point in time) can lead to challenges in removing redundant agents when all endpoints are not online.

    As such, an alternative approach is available to minimise the required windows for having old and new platforms running concurrently, by leveraging Patch for Windows custom command functionality to remove the old EMSS agent.

     

    This process comprises the following steps.

     

    1. From the Patch Templates and Groups view, select New / Patch Scan Template

    2. Enter a descriptive name for the patch scan template (eg EMSS removal)

    3. Under the Patch Properties - Applies to Agents section, ensure the only item selected is Custom Actions

     

    Screen Shot 2018-06-22 at 14.04.23.png

     

    4. click Save

    5. Now click New / Deployment template

    6. Give the template a descriptive name and then navigate to the Custom Actions tab

    7. Click new and save the template when prompted:

    Screen Shot 2018-06-22 at 14.19.04.png

     

    8.Under step 3 select the option for the deployment action to occur Before any patches

    9. Under step 4 enter the uninstall command string then click save and save again (to the deployment template dialogue)

    eg

    Screen Shot 2018-06-22 at 14.23.00.png

     

    10. Finally configure a scan job to use the created patch scan template and deployment template as follows:

     

    Screen Shot 2018-06-22 at 14.25.07.png

     

    The above example performs a one-time removal attempt, which would remove the agent from online endpoints. In environments which contain endpoints which are sporadically online, this would need to be run as a recurring task to catch endpoints when they come online.

     

    Note:

     

    It is possible to run custom actions as part of a regular patch deployment without needing to create an 'empty' job as above

    We recommend testing on a small group of endpoints to ensure expected behaviour before rolling out to larger numbers

    Removal of agents will require a reboot

     

     

     

     

    ***CMD.exe (Command Shell) - Windows CMD - SS64.com

    Usage for /C