There is a lot of controversy out in the ether as to the best way to uninstall SEP 12.1, on a massive scale. In my situation SEP has been nothing but a nightmare when it comes to managing endpoints. Some have worked flawlessly, while others just randomly “break” and need to be fixed. This process involves going from machine to machine, running Symantec’s “Clean Wipe” utility, rebooting several times, then finally re-installing SEP.

We’re at a point now where several endpoints are not communicating correctly with the parent server. There are also several duplicate GUID’s within the parent server causing machines to show up as not protected. In reality, these endpoints are fine, just not communicating with the parent server. Symantec recently released an update for SEP 12.1. We wanted to solve all of these issues with the parent server and “broken endpoints” before we upgrade everyone. So, I started browsing the web for the best solution to do a mass uninstall of SEP. We would then virtualize the Symantec parent server and re-push the SEP agents out to each machine. After digging around, the best solution I found was to go to Add/Remove Programs and uninstall SEP. In an office with a handful of machines, this might be practical. However, in our environment, with 150 nodes, visiting each desk is simply not an option.

I went into the registry and found the location of the uninstall script for Symantec Endpoint Protection:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{87C925D6-F6BF-4FBD-840B-53BAE2648B7B}

This registry key lists all of the information about the version of SEP, install location, etc. What we’re interested in though is the “Uninstall Script” key here in the registry. Copy this location to notepad, or write it down. While it looks like a random set of numbers from a portion of this script; it’s actually the same process ID used across all installs of SEP.

Now, you can take this uninstall script and throw it into your favorite scripting engine for deployment across the network — In our situation it’s KACE. Use MSIExec.exe with the appropriate switches to uninstall SEP throughout your environment.
In my case:
msiexec.exe /x /passive
Worked very well. “/x” switch is to signal uninstall, while the “/passive” switch allows for no user interaction.

Be careful using the passive switch as it may unexpectedly reboot your users’ computers