Hard-Removing Elastic Endpoint

Hey,

after an upgrade to 7.13 and the auto-removal of Kibana-builtin Fleet, i'm now cleaning up in order to re-install Elastic Agents.

On Windows Hosts, I'm not able to remove Elastic Endpoint.

  • Unenrolling the agent from Fleet didn't work
  • I tried elastic-agent uninstall, which removed the Agent but left the Elastic Endpoint (even after restart)
  • There is no stopping the service. It always says "Access Denied". I tried as BUILTIN\Administrator, and even as NTAUTHORITY\SYSTEM. You can't even alter the service's security descriptor using sc.exe and NTAUTHORITY\System.

I mean, congratulations on the tamper protection :wink: but how do I get back control over my system now and properly remove Elastic Endpoint?

I was pointed to:

It works.

cd %TEMP%
copy "c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" elastic-endpoint.exe
.\elastic-endpoint.exe uninstall
del .\elastic-endpoint.exe

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.