Team: Huntress EDR
Product: Agent Management Portal, Command Line
Environment: Windows, macOS
Summary: The process to uninstall the Huntress Agent can be performed many ways: manually, remotely, in bulk, silently, via GUI, via command line using a management or RMM tool. The method used will depend on the existence or absence of Tamper Protection and the tools you have available.
Due to Huntress Tamper Protection you will need to use the Remote, Bulk Remote, or break-glass options for any Windows machines (macOS Tamper Protection is not available yet), or disable Tamper Protection ~30 minutes prior to attempting a local uninstall. The HuntressRio service must be running during these 30 minutes.
For any endpoints that have been wiped/decommissioned, you’ll want to remove the agent from the Huntress Dashboard using one of the remote directions. That will automatically close any incidents associated with the agent and remove the agent from your account to ensure you aren’t billed for it.
In this article
* Remote Uninstallation using the Huntress portal (all OS)
* Bulk Remote Uninstallation using the Huntress portal (all OS)
Manual Uninstallation macOS GUI/Terminal
Manual Uninstallation Windows GUI
Command Line Uninstallation for Management Tools and RMM Windows
Break-glass option for Tamper Protection agents
* - recommended for all accounts, required for Tamper Protection enabled accounts
Remote Uninstallation
The Huntress Agent has a remote uninstall feature available in the Huntress Web Interface. When you navigate to the desired agent's page, you'll notice the "Uninstall" button on the left-hand side of the agent details window.
- Simply click the "Uninstall" button.
- Within the Uninstall Agent pop-up, confirm your intent to remove the agent by clicking the "Uninstall" button.
- Voila! That agent was immediately removed from your Huntress Account and its associated Organization. The next time the agent checks-in, we'll deliver it an uninstallation task. This generally occurs within about 15 seconds but could take longer in scenarios where the computer was offline (for example, powered down over night or stored away in a closet). If the endpoint was offline, as soon as the endpoint comes online, the agent will be tasked to uninstall. Once it has picked up the uninstall task, the uninstallation should be completed within 15 minutes. Either way, once it's off your dashboard it no longer counts towards your agent totals.
Bulk Remote Uninstallation
Within the Huntress Web Interface, we've added several ways to uninstall large quantities of agents. These features include entire organization uninstallation, unresponsive agent uninstallation, and endpoint-by-endpoint selection.
Entire Organizations
- From the Account Dashboard, navigate to the Organization Management view.
- Click the three dots to the right of the Organization you wish to delete, then select Delete
- Within the Delete Organization pop-up, confirm your intent to remove the Organization and uninstall all agents by clicking the "Delete" button.
Unresponsive Agents
- From an Account or Organization Dashboard, select the Unresponsive Agent counter. Agents are marks as "unresponsive" when they have not called back in 45 days.
- Click the uppermost checkbox to select all unresponsive agents (alternatively, you can select the agents you desire).
- Click the "Uninstall" button.
- Within the Uninstall Agents pop-up, confirm your intent to remove the agent by clicking the "Uninstall" button.
Endpoint-by-endpoint Selection
- From the Account or Organization Dashboard, select the Agent Management view.
- Select the checkboxes next to each agent you want to uninstall.
- Click the "Uninstall" button.
- Within the Uninstall Agents pop-up, confirm your intent to remove the agent by clicking the "Uninstall" button.
Manual Uninstallation macOS GUI/Terminal
Open up Terminal and paste in the following:
sudo bash /Applications/Huntress.app/Contents/MacOS/Uninstall -S
(the S must be capitalized for a silent uninstall)
If you drag the Huntress app to the trash can it will not uninstall properly and can get hung up when you try to reinstall! In cases like that, you'll need to delete /Library/Application Support/Huntress/HuntressAgent/AgentConfig.plist
before reinstalling.
Manual Uninstallation Windows GUI
If attended uninstallation is an option, you can leverage Windows' Programs and Features wizard:
- Click on the Start button in the left bottom corner of your screen and type "Programs and Features" into the Search box.
- Click on the "Programs and Features" icon.
- Within the Programs and Features window, scroll to "Huntress Agent".
- Right-click on "Huntress Agent" and select the "Uninstall".
- Within the Huntress Agent Uninstall pop-up, click the "Yes" button.
- Once uninstalled, you'll receive a pop-up notification confirming the successful uninstallation.
Command Line Uninstallation for use with Configuration Management Tools and RMM solutions Windows
The command line uninstallation is suitable for silent/unattended removal using a configuration management tool or RMM solution.
The HuntressAgent and HuntressRio services must be running and talking to the Huntress portal for these instructions to work (unless the agent does not have Tamper Protection enabled). See this article for determining TP status.
- Create a Tamper Protection exclusion for the agent to be uninstalled.
- Wait a few minutes for the task to reach the agent (this can take up to 30 minutes)
- Run our uninstaller in Silent mode like this:
"C:\Program Files\Huntress\Uninstall.exe" /S
If that fails or the Uninstall.exe is missing you can manually remove Huntress this way:
- If there isn't a Tamper Protection exclusion active for this machine you'll need to create one and wait up to 30 minutes for the task to reach the agent.
- Download the Huntress PowerShell script to the machine you're trying to remove Huntress from.
- Run the script with the -uninstall flag like this:
powershell -executionpolicy bypass -f ./InstallHuntress.powershellv2.ps1 -uninstall
Break-glass option for Tamper Protection agents
For situations where the agent can't communicate with the Huntress portal you may need to employ a break-glass option. There are two different ways to do this, depending on the tools available to you.
Most RMM's run with elevated permissions so you can use them to send this command to silently uninstall Huntress:
"C:\Program Files\Huntress\Uninstall.exe" /S
For the second option please contact support so we can guide you through the process.