We help IT Professionals succeed at work.
Private

SEPM  14.2 - Removing the client agent.

88 Views
Last Modified: 2020-07-25
SEPM  14.2 - Removing the client agent.

Hello,

I created a new GPO under 'start up' script and with the following script:

MSIEXEC /x "\\192.168.xx.xxx\SEPM Deployment Share\Sep64.msi" /l*v "\\192.168.xx.xxx\SEPM Deployment Share\logfile

When run this on the client manually it removes the software but it does not do it over the network using GP.

Any ideas why? should the script be a .bat or a PowerShell script?
Comment
Watch Question

James RankinMedia Hound
CERTIFIED EXPERT

Commented:
I'm willing to bet the Startup Script can't access the network share. Does SYSTEM have access to it?
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
A .bat/.cmd will work just fine, but you should add a start /wait.
Note that when using a startup script, the AD computer account needs to have permissions (share and NTFS) to the deployment share.
You can use, for example, the group "Domain Computers" with Read permissions, or you can create a dedicated group and add the computer accounts to it.
start "" /wait msiexec.exe /x "\\192.168.xx.xxx\SEPM Deployment Share\Sep64.msi" /l*v "\\192.168.xx.xxx\SEPM Deployment Share\logfile"

Open in new window

Author

Commented:
Hello, system has full control  -
Screen-Shot-2020-07-16-at-08.52.50.png
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
Save this as UninstallSepAgent.cmd in the location that pops up when you click "Show Files".
start "" /wait msiexec.exe /x "\\192.168.xx.xxx\SEPM Deployment Share\Sep64.msi" /l*v "\\192.168.xx.xxx\SEPM Deployment Share\logfile"

Open in new window

Then as script name, enter UninstallSepAgent.cmd, no parameters.
Make sure Authenticated Users (or the default Everyone) is listed in the Share permissions for "SEPM Deployment Share" with Read Access as well.

Author

Commented:
Hello, so i added the .cmd to the 'show files' window and removed the script from the top part - see attached.

Ran GPUPDATE /FORCE and rebooted but when first logging in the software is not removed.

However it looks like the policy is being filtered out - not sure why as its link enabled and aimed at the correct OU. The OU has the computer object in it (aimed at computers OU)  - Should i aim the OU at the users container instead?
Screen-Shot-2020-07-16-at-10.26.33.png
Screen-Shot-2020-07-16-at-10.28.49.png
Screen-Shot-2020-07-16-at-10.38.01.png
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
Is the GPO "Link Enabled"?
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
A Startup Script is a Computer setting, so scoping it to users is pointless. Normally the "unknown reason" points to the Domain Computers group being missing, but screenshots look like this is done. Is replication working OK?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
If the GPO is filtered out, you need to open GPMC -> click to select the GPO -> Scope tab -> Security Filtering -> verify you see Authenticated Users 

Author

Commented:
Hello, the security filtering has authenticated users listed.

Cant see any issues when running real /summary,

Any others things to check?
Screen-Shot-2020-07-16-at-14.33.25.png
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Yes. You can check the Delegation tab. Can you provide a screenshot?

Can you run gpupdate /force and reboot once again?

Author

Commented:
Rebooted again after forcing the policy but still the app is not being ripped out!

Screenshot attached

Thanks for your patience!
Screen-Shot-2020-07-16-at-16.20.44.png
Screen-Shot-2020-07-16-at-16.28.40.png
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
Have you tried it with the MSI located locally?
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
In the GPMC, in the "Details" tab of the GPO - is the GPO status set to either "Enabled" or "User configuration settings disabled"? Anything else is wrong.

Author

Commented:
Hi, yes the details tab states 'enabled' for all settings.

When i run the .bat manually on the client it does prompt to select 'yes' or 'no' to uninstall, I wonder if I need to make it a silent switch in order for the GP to work?
Screen-Shot-2020-07-17-at-11.24.03.png
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
Sorry, missed that; add a /qn to the mix (and maybe a /norestart)
start "" /wait msiexec.exe /x "\\192.168.xx.xxx\SEPM Deployment Share\Sep64.msi" /qn /l*v "\\192.168.xx.xxx\SEPM Deployment Share\logfile"

Open in new window

Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Under delegation the authenticated users have read and apply GP.

One thing to note is when I attempt to run the .bat script from the SYSVOL share it fails with the attached.
Screen-Shot-2020-07-17-at-12.36.07.png
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
That's not a failure; you can ignore that message. It's not an error, it's just a hint. Since the script only uses absolute paths, it doesn't matter where the current directory is.

Author

Commented:
Ah i see.

So i I've set the following script:

start "" /wait msiexec.exe /x "\\192.168.xx.xxx\SEPM Deployment Share\Sep64.msi" /qn /l*v "\\192.168.xx.xxx\SEPM Deployment Share\logfile"

But it still does not work!

Copied the .bat from the SYSVOL folder to the client desktop and ran it but it the cmd prompt just hung, nothing happened?

The logged in user is the domain admin as well.
Screen-Shot-2020-07-17-at-13.27.34.png
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
OK thanks.

i ran it from the desk as 'run as admin'. The prompt appeared and then disappeared. Where do I add the 'no restart 'bit? Maybe it needs to restart?

Log file attached

Hopefully get this fixed soon!
logfile-from-SEPM-uninstall.txt
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Hello again, been testing this and it's still not working - the log is attached. And it's worth noting that this log file is populated only when I run the script directly from the client, it does not work when GP is allowed to do its thing
For-Exchange-Experts.txt
IusingthissctiptUninstallSepAgent.txt
Screen-Shot-2020-07-22-at-21.12.14.png
Screen-Shot-2020-07-22-at-21.09.31.png

Author

Commented:
Don't know if its related but when I run the GP modeller from the Computers OU it comes back with 'The wizard was unable to generate the computer or users data due to insufficient permissions'  - details - A directory Service error occurred'

I was logged in as domain admin
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks again for the info.

Its been removed from features and doesn't appear in add/remoive programs but the app is still selectable from the sys tray and from the windows start button! How do I remove it completely!

Driving me mad this now!

Thank you for the help
Screen-Shot-2020-07-23-at-21.14.14.png
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Did you reboot?

Author

Commented:
Yes a couple of times.

Author

Commented:
Finally got the SEPM removed  - many thanks.

I'm not sure why but I tried it on a different client and it seem to work ie remove the SEPM software, strange why it doesn't work on the other client  -
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.