Skip to main content

Huntress Product Offboarding Guide

Nick
  • Updated

Team: Huntress
Product: All Products
Environment: Windows, macOS, Huntress Dashboard

Summary: This guide outlines the necessary steps to remove Huntress agents, disconnect integrations, and decommission services for a client or organization. The purpose of this guide is to cover the basic steps for removing an individual Service or endpoint without removing additional services tied to an orginization. 

After following any one of these guides, you can contact your account manager directly to address any billing concerns. 

 

 

Warning: Deleting an Orginization from the Huntress dashboard will also remove all corresponding services, such as SAT, SIEM, ITDR, EDR, ISPM, and ESPM. 

 

Bulk Remove all services at once, including EDR, SAT, SIEM, ITDR, ISPM, and ESPM

  • Portal Method (Recommended):

    1. Log in to Huntress as an account administrator.

    2. Navigate to the Organization Tab.

    3. Locate the Organization and click the three dots (...) on the right.

    4. Select Delete. This will queue an uninstallation task for all active agents and remove the organization from the dashboard. It will also delete all services listed in the warning above, including SAT

 

1. Managed Endpoint Detection & Response (EDR)

The EDR offboarding process involves removing the Huntress Agent from all endpoints. 

 

You do not want to delete the entire orginization if you only intend to remove EDR services while leaving other services like SAT or ITDR enabled. 

[IMPORTANT] Tamper Protection: If Tamper Protection is enabled, you must use the portal to uninstall or create an exclusion before attempting a local uninstallation or using RMM removal tools. 

 

  • Individual/Bulk Selection:

    1. Log in to Huntress as an account administrator.

    2. Navigate to the Organization Tab and select the orginization you will be working with. 

    3. Go to the Agent tab.

    4. Select the desired agents by checking the boxes next to their names, then click Uninstall.
      You can Bulk delete here by selecting the box next to Hostname to select all endpoints on the page.  The view can also be expanded from the default of 25 endpoints to 100 endpoints. 

2. Managed Identity Threat Detection & Response (ITDR)

ITDR is tied to your Microsoft 365 or Google Workspace integration.

  • Steps:

    1. Log in to the Huntress Portal and navigate to Integrations.

    2. Select the Microsoft 365 or Google Workspace integration associated with the organization.

    3. Click Delete or Disconnect.

    4. Note: You should also go into the M365/Google Admin portal and remove the Huntress "Enterprise Application" or "Service Account" permissions to fully revoke access.

3. Managed Security Awareness Training (SAT)

Offboarding SAT requires setting the account or company to an Inactive status.

  • Partner/Reseller Steps:

    1. Navigate to the SAT Dashboard.

    2. Select the Accounts Tab, and then select the account you wish to disable

    3. Select the Gear Icon in the upper-right corner of the screen to open Settings.

    4.  Select the General Button from the menu on the left under Configure

    5. In General Settings, under Status, select Inactive from the dropdown menu. 

       

  • Direct - Stand-Alone Steps:

    1. Navigate to the SAT Dashboard.

    2. Select the Gear Icon in the upper-right corner of the screen to open Settings.

    3.  Select the General Button from the menu on the left under Configure

    4. In General Settings, under Status, select Inactive from the dropdown menu. 

4. Managed SIEM

SIEM offboarding involves stopping the ingestion of logs and removing collection agents.

Note: Removing all EDR endpoints will also stop SIEM ingestion, but it will not stop a notification from going out that a SIEM source is no longer sending information. You will need to remove the SIIEM sources as described below. 

  • Steps:

    1. Decommission any Huntress SIEM Collectors (often installed on Domain Controllers or via Syslog servers).

    2. In the Huntress Portal, navigate to the SIEM configuration page.

    3. Remove the log sources for that specific organization.

    4. Note: Verify data retention requirements before deletion. The SIEM information will not be destroyed, but its access will change. You will have to use an Account Scope to pull up historical information, rather than an organizational scope. 

5. Managed Identity Security Posture Management (ISPM)

ISPM is often bundled with ITDR and Microsoft 365 integrations.

  • Steps:

    1. Disconnect the Microsoft 365 integration within the Huntress portal (as described in the ITDR section).

    2. Ensure any Conditional Access Policies or configuration changes made by Huntress are reviewed and reverted if they are no longer desired post-offboarding.

    3. Note: Huntress will not roll back any changes upon de-provisioning. Any security configurations implemented through the platform will remain in their current state and become the new baseline for the tenant. None of our CAPs are Huntress-specific, and these will only increase the tenant's security posture. 

6. Managed Endpoint Security Posture Management (ESPM)

ESPM relies on the Huntress Agent and its ability to manage OS-level settings.

  • Steps:

    1. Follow the Managed EDR uninstallation steps to remove the Huntress Agents.

    2. Upon agent removal, the ESPM management capabilities (such as Windows Update monitoring or host-based firewall management) will cease.

 

 

Related articles