Uninstalled Endpoint but SEC shows PC as active

Question

Hi Sophos Community,

I'm testing a remote uninstall of Endpoint 10.3 using a script as documented in article ID 109668 How to uninstall Sophos Endpoint Security and Control from the command line or with a batch file.

As the PC is an AD environment I created a new GPO and linked in batch file as a startup script. The script seemed to work successfully as all 3 components (RMS, AV, AutoUpdate) have been removed and the log files looked clean.

However, if I look in SEC (5.2.2) at the PC object it shows the red X icon over thecomputer and states same as policy, yes, active (policy compliance, up to date, on-access). So it seems like SEC sees the computer as still managed but just disconnected?

I would have assumed that after a successfull uninstall SEC would show just a plain grey icon

used for "Unmanaged computers".

Can anyone advise why this is happening? I was hoping to use the computers "status" in SEC as an indication as to which computers have successfully completed the uninstall.

This thread was automatically locked due to age.

QC · Accepted Answer

Hello ICT123, imaginably the Installer package could be authored with a public property you could pass as parameter from the command line when invoking msiexec to indicate a "final" uninstall. The information could be passed to RMS which in turn would tell SEC that it's going to go away. This would of course only work when you call msiexec from the command line.  It's not implemented though. Arguably all RMS uninstalls could inform (provided that RMS is working) SEC to have the status set to unmanaged, maybe you could submit a feature request. Anyway, after an uninstall an endpoint is shown as disconnected but managed.  Christian  :57619