You can remotely uninstall an agent from Windows endpoints using an Agent Management Job.

An Agent Management Job allows you to uninstall the agent from the Ivanti Endpoint Security Web console.

Prerequisites:

• You completed the configuration needs for an Agent Management Job. Refer to Agent Management Job Checklist for a description.
• Verify that your target endpoint that you installed an agent on is a Windows endpoint. Mac, Linux, and UNIX endpoints cannot have agents uninstalled using an Agent Management Job.
• The agent status for the endpoint is Online.

You complete the Agent Management Job within the Ivanti Endpoint Security Web console using an easy-to-use wizard. Configuration occurs in the Uninstall Agents Wizard.

Configuration of the Agent Management Job is similar to configuration of a Discovery Scan Job.

1. Begin configuration of the Uninstall Agent Wizard.
   Complete one of the following sets of steps to begin configuration:

Context	Steps
To open the Wizard without targets predefined:	Select Discover > Assets and Uninstall Agents.
To open the Wizard with target predefined:	Select Manage >Endpoints. Select the endpoints you want to uninstall agents from. From the toolbar, select Manage Agents > Uninstall Agents.

The wizard opens to the Job Name and Scheduling page.


2. [Optional] Type a new name in the Scan job name field.

   By default, a new Agent Management Job for uninstallation is named New Agent Uninstall Management Job, followed by the server's date and time, which is formatted according to your browser's locale setting.

3. Schedule the job, using one of the following methods.

   Tip: During job scheduling, you can use the following shortcuts:

   • Click the Calender icon to select a Start date. Selecting a date automatically fills the Start date field.
   • Click the Clock icon to select a Start time. Selecting a time automatically fills the Start time field.

Method	Steps
To schedule an immediate job:	Select the Immediate option.
To schedule a one-time job:	Ensure the Once option is selected. Define a start date by typing a date in the Start date field. Type the date in a mm/dd/yyyy format. Define a start time by typing a time in the Start time field. Type the time in hh:mm format followed by AM or PM (if necessary). This field supports both 12- and 24-hour time. Tip: Scheduling a one-time job for a past date and time will launch the job immediately.
To schedule a recurring weekly job:	Select the Weekly option. Define a start date by typing a date in the Start date field. Type the date in a mm/dd/yyyy format. Define a start time by typing a time in the Start time field. Type the time in hh:mm format followed by AM or PM (if necessary). This field supports both 12- and 24-hour time. Define the day of the week the job runs by selecting a day from the Run every week on the following day list.
To schedule a recurring monthly job:	Select the Monthly option. Define a start date by typing a date in the Start date field. Type the date in a mm/dd/yyyy format. Define a start time by typing a time in the Start time field. Type the time in hh:mm format followed by AM or PM (if necessary). This field supports both 12- and 24-hour time. Define the day of the month the job runs by typing a day in the Run every month on the following day field.

Tip: One-time and recurring jobs scheduled for the last day of a 31-day month are automatically rescheduled for the last day of shorter months.

4. Click Next.
   The Targets page opens.
   
5. Define targets (endpoints) for the job to locate.
   Use one or more of the following discovery methods.

Method	Steps
To define targets using a single IP address:	From the Scan for list, select Single IP Address. Type an IP address in the empty field. Wildcards are supported. For additional information, refer to Defining Targets Using Wildcards. Edit the Timeout list. The Timeout list defines the number of seconds before a scan fails due to inactivity for a particular target. Under most network conditions, the Timeout field does not require editing. Edit the Number of retries list. The Number of retries list defines the number of times a scan retries on that target if the scan times out.
To define targets using an IP range:	From the Scan for list, select IP Range. In the first empty field, type the beginning of IP range. Wildcards are supported. For additional information, refer to Defining Targets Using Wildcards. In the second empty field, type the ending of the IP range. Edit the Timeout list. The Timeout list defines the number of seconds before a scan fails due to inactivity for that particular target. Under most network conditions, the Timeout field does not require editing. Edit the Number of retries list. The Number of retries list defines the number of times a scan retries on that target if the scan times out.
To define targets using a computer name:	From the Scan for list, select Computer name. In the empty field, type an endpoint name. Use one of the following formats: endpointname or domain\endpointname.
To define targets using network neighborhood:	From the Scan for list, select Network Neighborhood. From the second list, select the desired network neighborhood.
To define targets using active directory:	From the Scan for list, select Active Directory. In the Fully-qualified domain name field, type the DNS domain name of the domain controller you want to scan. For example, if your domain controller DNS name is box.domain.company.local, you would type domain.company.local in this field. Optionally, in the Organizational Unit field, type the active directory organizational unit string from specific to broad, separating each string with front slashes (such as Techpubs/Engineering/Corporate). The omission of this field returns job results containing the full contents of all the active directory organizational units. View the following figure for an example of how to enter data using Active Directory. In the Domain controller field, type the domain controller IP address. In the Username field, type a user name that authenticates with the domain controller. Type the user name in one of the following format: domainname\username or username. In the Password field, type the password associated with the user name.
To define targets using an imported file:	From the Scan for list, select Import file. Click Browse. Browse to the file you want to use for target discovery. The following file types are supported: .txt and .csv. Click Open.

Active Directory Input Example:



6. Add targets to the wizard list. This list indicates whether defined targets are included in or excluded from the job.
   Use one of the following methods.

   You must include at least one target for Next to become available. You can also delete targets from the list by selecting the applicable check boxes and clicking Remove.

   • To include defined targets in the job, click Exclude from Scan.
   • To exclude defined targets from the job, click Add to Scan.

Tip: Repeat this step to add additional targets to the list.

7. [Optional] Edit the Targets list.
   • To remove targets from the list, select the list item(s) and click Remove.
   • To edit targets on the list, select the list item(s) and click Edit.

     For additional information on editing, refer to Editing Targets in the Endpoint Security Help.

8. Click Next.
   The Options page opens.
   
9. Select or clear the desired Scan Options.
   The following table defines each Scan Option.

Option	Description
Verify With Ping	Jobs using this option send ping requests to all network endpoints targeted for discovery. Endpoints that respond to the request are flagged for scanning; unresponsive endpoints are skipped. Endpoints unresponsive to Verify With Ping are not scanned by other selected discovery options. Anti-virus software and host firewalls may block Verify With Ping. If necessary, adjust any antivirus and firewall configurations to permit ping requests.
ICMP Discovery	Jobs using this option request a series of echoes, information, and address masks from endpoints. Endpoint responses are then compared to a list of known ICMP fingerprints to identify endpoint operating systems. ICMP Discovery is ineffective on endpoints configured to ignore ICMP requests. For best results identifying Windows operating systems, use this option in conjunction with Windows Version Discovery.
Port Scan Discovery	Jobs using this option perform a limited scan on endpoint FTP, Telnet, SSH, SMTP, and HTTP ports. Based on the application banners found in these ports, endpoint operating systems are generically identified. For best results in identifying Windows operating systems, use this option in conjunction with Windows Version Discovery.
SNMP Discovery	Jobs using this option request system properties for SNMP devices (routers, printers, and so on) from the management information base. Following credential authentication, SNMP devices are identified. Without authenticated credentials, SNMP devices ignore SNMP Discovery requests. In this event, one of two outcomes occur: the SNMP device is misidentified as a UNIX endpoint or the SNMP device is not detected. Jobs with no SNMP credentials use the public credential by default.
Windows Version Discovery	Jobs using this option identify an endpoint's specific version of Windows following generic operating system identification during ICMP or Port Scan Discovery. Correct operating system identification is contingent upon authenticated credentials. This option must be used in conjunction with either ICMP or Port Scan Discovery.
Resolve DNS Names	Jobs using this option acquire the endpoint DNS name through a local DNS server query. These names are displayed in job results for easy endpoint identification.
Resolve MAC Addresses	Jobs using this option acquire endpoint MAC addresses through endpoint queries. These addresses are displayed in job results for easy endpoint identification. Monitor network inventory reports to prevent MAC address spoofing that may alter the Resolve MAC Addresses results.
Resolve NetBIOS Names	Jobs using this option acquire endpoint NetBIOS names through WINS NetBIOS mapping. These names are displayed in job results for easy endpoint identification.

10. Click Next.
    The Credentials page opens.
    
    
11. Define Windows credentials for the target.
    Type the applicable information in the following fields.

    When configuring an Agent Management Job, you must define valid Windows credentials.

Field	Description
Username	A user name that authenticates with Windows-based endpoints. Type the user name in a local format (UserName) or a domain format (DOMAIN\UserName). When configuring Agent Management Jobs, Ivanti recommends using the built-in Administrator account.
Password	The password associated with the Username.
Confirm password	The Password retyped.

12. Click Next.
    The Agent Settings page opens.
    
    
13. Define the Distribution options.
    The following table describes each list their available values.

List	Description
Timeout (list)	Defines the number of minutes before the Agent Management Job terminates an install attempt due to a non-responsive agent installation or removal (0-30).
Number of retries (list)	Defines the number of attempts an agent installation or removal will retry if the initial attempt fails (1-10).
Number of simultaneous installs (list)	Defines the maximum number of agents that can installed or removed simultaneously during the job (1-25). A value of 1 indicates that serial installs or removals should occur.

14. Click Finish.

The Uninstall Agents Wizard closes. Depending on how you configured the job, it moves to either the Scheduled tab or Active tab on the Job Results page. The job will run at the applicable time, uninstalling agents on the defined targets, and move to the Completed tab when finished.

You can uninstall Ivanti Endpoint Security Agent on a Windows endpoint manually using the Agent Setup Wizard.

Prerequisites:

• You have a Ivanti Endpoint Security Agent installed on an endpoint containing a supported Windows operating system. Refer toSupported Endpoint Operating Systems for a list of supported operating systems.
• Ensure you are logged on with an administrative user account.

To uninstall the agent, perform the following procedure on an endpoint with a supported Windows operating system.

1. Open Add or Remove Programs.
2. Uninstall the Ivanti Endpoint Security Agent.

   Tip: You can also uninstall the agent by downloading and opening the Agent Setup Wizard. For additional information about obtaining this wizard, refer to Downloading the Installer.

The Agent Setup Wizard opens to the Authorization Required to Upgrade or Uninstall page.

The Authorization Required to Upgrade or Uninstall page does not open when the Agent Uninstall Protection policy is set to Off for the endpoint. For additional information on agent uninstall protection, refer to Editing an Agent Policy Set in the Ivanti Endpoint Security User Guide.
If this page does not open, proceed to 4.

3. Type the global uninstall password or the agent uninstall password for the endpoint in the Global or agent uninstall password field and click Next.

   Ivanti does not recommend providing end users with the global uninstall password in uninstall scenarios. The Global uninstall password should be used by the Ivanti Endpoint Security Administrator only.

Tip: Use the Ivanti Endpoint Security Web console to find these passwords.

• View an endpoint uninstall password from its Endpoint Details page.
• View the global uninstall password from the Agent Policy Sets page by editing the Global System Policy.

The Previous Agent Installation Detected page opens.


4. Select the Uninstall the agent option and click Uninstall.
   The uninstall begins. Upon completion, the Uninstall Complete page opens.

   If the Microsoft Visual C++ 2010 Redistributable package or later was installed during agent install, it is not removed during agent uninstall.

5. Complete the uninstall.
   • If no further steps are needed, click Close.
   • If you are prompted to reboot your endpoint, click Restart Now.
     The agent is uninstalled.

     Tip: If desired, you may reinstall the agent. Refer to Understanding Agent Installation Methods for additional information.

Instead of using the Agent Install Wizard, you can open a prompt and uninstall the agent with a command.

1. From the endpoint where you'll be uninstalling the Ivanti Endpoint Security Agent, open a command prompt as administrator.
   Open the Start Menu or Start Screen and search for cmd. Right-click it and select Run as administrator.
   
2. Change to the Ivanti Endpoint Security Agent live directory.
   It's usually located at %Program Files%\HEAT Software\EMSSAgent\live, but it may be in a different place if you installed it in a custom location.
   
3. Remove the agent by entering the uninstall command along with the agent's uninstall password: lmuninstall %agentUninstallPassword%.
   
   

Tip: You can find the uninstall password by navigating to the agent's Endpoint Details page in the Ivanti Endpoint Security console.


The agent uninstall begins (but there won't be anything on screen that indicates this action is occurring.)

The agent uninstall completes when you can type text in the command prompt again.

The agent listing is also removed from the Ivanti Endpoint Security console.