Uninstall ESET Endpoint Security with Intune Proactive Remediations

Last Updated on December 31, 2023 by Oktay Sari

This is going to be a short blogpost showing you how to uninstall ESET Endpoint Security with Intune Proactive Remediations. I was working on a project where the customer had Windows 10 and Windows 11 devices enrolled with Microsoft Endpoint Manager (Intune) but still used ESET Endpoint Security. One of the requirements was to migrate to Defender for Endpoint. At first I thought of and actually deployed a PowerShell script with one line to uninstall ESET, but I wanted to have a little more insights than a simple table with Succeeded as a status as shown below.

Proactive Remediations

Proactive remediations are script packages that can detect and fix issues on a device. Each script package consists of a detection script and a remediation script. You can use Intune to deploy these script packages and see more detailed reports than with simple PowerShell script deployments.

The report above looks a lot better right?

Proactive Remediations Prerequisites

Read the Microsoft documentation on proactive remediations prerequisites for any updates but here are the most important things to remember:

• Devices are (Hybrid)Azure AD joined
• Devices are enrolled with Endpoint Manager
• Devices run Enterprise, Professional, or Education edition of Windows 10 or later
• You have the correct licening;
  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows 10/11 Virtual Desktop Access (VDA) per user
• Make sure the scripts are encoded in UTF-8

Uninstall ESET Endpoint Security

Please test the scripts below on one of your test devices and see if they have the desired outcome. But let’s assume you have a Windows device with ESET Endpoint Security installed. Now let’s Uninstall ESET Endpoint Security with Intune Proactive Remediations.

The one-liner I talked earlier about is something like this:

Start-Process msiexec.exe -Argument "/x {28C6F9D2-041E-424E-90FB-EF8A7BFE7B9A} /qn /norestart"

To uninstall the application like in the example above, we will need to get the application product ID or product GUID using PowerShell:

Get-WmiObject -Class Win32_Product -Filter "Name='ESET Endpoint Security'"

If you want to list all the installed applications (No Windows Store App) on the device, you can use the command Get-WmiObject -Class Win32_Product

Normally when you uninstall ESET, it will force the device to reboot immediately and without any waring for the user. That is not a good thing to do when users are working, so make sure to include the /norestart argument.

Detect ESET Endpoint Security

Please read the docs if you’ve never used Proactive Remediations. The script below, is the detection script. Upload this as your Detection script file (UTF-8 encoding).

#===================================================================================
#
# Script Name  :Detect_ESET_installation.ps1.ps1
# Description  :Detect ESET Endpoint Security installation
# Notes        :Make sure the install location and Display Name are correct!
# Author       :Oktay Sari
# Twitter      :@oktay_sari
# Date         :31-08-2022
# Version      :1.0
# ChangeLog    :
#
#===================================================================================
# Define Variables
# Check everything under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ and look for the installation of ESET Endpoint Security.
# We will use the InstallLocation and DisplayName found here.
$appdetails = (Get-ItemProperty Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*) | Where-Object {$_.InstallLocation -eq "C:\Program Files\ESET\ESET Security\" -and $_.DisplayName -eq "ESET Endpoint Security"}

# Main script
# Check if ESET Endoint Security is installed and if it is, exit with Exit Code 1 to remediate

try {
if ($appdetails.DisplayName -eq "ESET Endpoint Security"){
Write-Output "ESET Endpoint Security is installed"
#Intune will only remediate on Exit Code 1
Exit 1
}
else {
Write-Output "ESET Endpoint Security is not installed. No action required"
Exit 0
}
}

catch{
$errMsg = $_.exeption.essage
Write-Output $errMsg
exit 1
}

The detection script checks to see if ESET Endpoint Security is installed on a device. It does this, by searching through the Windows Registry. If it finds an application with the displayname ESET Endpoint Security, it exits with an Exit code 1. Note: Keep in mind that Intune will only remediate on Exit Code 1.

Remediate ESET Endpoint Security

When the proactive remediation detection script exits with Exit Code 1, it will start the remediation script next. Upload this script as your Remediation script file (again, in UTF-8 encoding).

#===================================================================================
#
# Script Name :Remediate_ESET_installation.ps1.ps1
# Description :This Remediation script will Uninstall ESET Endpoint Security
# Notes       :Make sure the install location and Display Name are correct!
# Author      :Oktay Sari
# Twitter     :@oktay_sari
# Date        :31-08-2022
# Version     :1.0
# ChangeLog   :
#
#===================================================================================

# Define Variables
# Check everything under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ and look for the installation of ESET Endpoint Security.
# We will use the InstallLocation and DisplayName found here.
# The uninstall arguments are also build using the information in the registry. This way, it will also work if the version changes.
# The uninstall command will be something like Start-Process msiexec.exe -Argument "/x {28C6F9D2-041E-424E-90FB-EF8A7BFE7B9A} /qn /norestart"

$appdetails = (Get-ItemProperty Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*) | Where-Object {$_.InstallLocation -eq "C:\Program Files\ESET\ESET Security\" -and $_.DisplayName -eq "ESET Endpoint Security"}
$arguments = " /X " + $appdetails.PSChildName + " /qn" + " /norestart"

# main script
#region Uninstalling ESET Endpoint Security

try {
if ($appdetails.DisplayName -eq "ESET Endpoint Security") {
#Setting the ExecutionPolicy might help if you have issues with executing scripts on devices.
#Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -scope process
Start-Process "msiexec.exe" -Argument $arguments
Write-Output "ESET Endpoint Security removed"
}

else {
Write-Output "ESET Endpoint Security is not installed. No remediation required"
Exit 0
}

}

catch{
$errMsg = $_.exeption.essage
Write-Output $errMsg
exit 1
}

#endregion

The Remediation script also checks to see if ESET Endpoint Security is installed, and will uninstall ESET Endpoint Security with information found in the registry. Using this method will ensure it will work even when the application product ID or product GUID changes.

Create and deploy the script package

Here’s my configuration in Endpoint Manager. Make sure you run the script in 64-bit PowerShell.

For the deployment, I selected All devices and scheduled it to run every hour. Configure these settings to your own needs. Please note that you can also use device filters to further segment your deployment.

Test your proactive remediation deployment

The devices will retrieve the proactive remediation scripts after a reboot, after a user signs in, or when there’s a sync. It will further check-in once every 8 hours based on when the Intune management extension service started. Please read the docs for more info. Based on this information, let’s reboot our test device and see what happens. It might take a while before the script runs the first time so wait a little longer or reboot again if you’re fingers are itchy.

Don’t worry, you will uninstall ESET Endpoint Security with Intune Proactive Remediations. If for what ever reason, you’re not able to do so, you can always fall back to a simple one-liner 😉

After a while, you can see that ESET has been uninstalled. When you query installed applications, you won’t see ESET Endpoint Security in the list.

When you look in Endpoint Manager, you can see in the Proactive Remediation reports, that the issue has been fixed.

Final thoughts

I realize it’s not the most elegant PowerShell script and some improvements can be done. For example, Defender for Endpoint needs to take over the protection and devices need to be rebooted to complete the uninstall and switch to MDE. I was thinking of using Proactive remediations to also show a toast notification, but I’m not sure If it can be done using the same script since I’m not running the script using the logged-on user credentials. I will have to test with that and see if it works and update this post later on. Of course you can use this script to uninstall any application, just change the parameters for the application you want to uninstall.

Please let me know if you managed to uninstall ESET Endpoint Security with Intune Proactive Remediations. If you did run into any kind of issues, let me know to. And finally, if you think there’s a better, more elegant way to do this, please share the knowledge so we can all learn.