Uninstall/Install Elastic-Endpoint. Endpoint stays after uninstall

To not high jack an existing thread about another subject see " Elastic endpoint overwrites configuration file "

Uninstall goes like this. Open power shell as admin. Run uninstall-service-elastic-agent.ps1. Wait a few minutes as agent does not like to stop quickly. About 10 minutes later still have Elastic-Endpoint installed and running. Reboot workstation comes backup with with Elastic-Endpoint. This is on every workstation I'm afraid. The uninstall is on Windows 10 LTSC and Windows 10 2004. Both machine OS's have the same issues removing the endpoint. Both machines only have Windows Defender installed as its default. No modifications are done during the roll out as they are purely dev machines straight from Microsoft's ISO. I have 18 workstations on 3 total clusters being tested currently with the same failure across the board. You can not rerun the current 7.9.0 x64 uninstall script a 2nd time as in it's default forum it is only looking for elastic-agent not elastic-endpoint and will fail.

Install is the harder option as it's not as straight forward. This is directly out of the PS script from a fresh download today.
-binaryPathName ""$workdir\elastic-agent.exe" --path.home "$workdir" --path.data "$workdir\data" run"

Workdir will do the install in the directory in which the install script it run from. To be honest it should be copied to Program File\Elastic prior. At this time if you want it in that folder if install manually and not scripted you have to copy the folder contents into Elastic and run the install. This isn't an issue for 95% of Elastic users as we're more technical but to role out AV in some areas you still have to KISS. Never count on the someone reading the guide first or forgetting about a step. This is purely our use case but I see it being an issue.

If anyone reads this try and delete the folder you ran the install script from. Does it fail yes/no if yes it's because that is the folder it is sending the logs to if no then congratz you moved it and have already caught on to it.

Please note the install is more common in this form when you do not have something like SCCM or SALT running in an environment where most things are manual. Think of a sub 50 user location where you have legacy process and equipment in place. While not the direct target for Elastic "marketing and cost effectiveness" it still has it place. Sometimes mass role outs fail and you have to do the install by hand or have the L1 tech do it. A fairly large number of L1 techs will not care nor check up. They will see installed and done and walk away.

Hello @PublicName,

Thanks for splitting this in to its own issue to keep the forums cleaner. I was able to talk with the proper people and this is going to be addressed. An issue has been filed here: https://github.com/elastic/beats/issues/20895 if you want to follow it. A better agent installer/uninstaller is actively being worked on.

As a workaround in the meantime, if you unenroll an agent from the ingest manager in kibana, it should cleanly uninstall agent+endpoint and any other enabled integrations.

Let me know if you have any other questions or need any additional help with it.


1 Like