Uninstall Indicators of Attack
To uninstall the Indicators of Attack (IoA) module, you run a command that creates a new Group Policy Object (GPO) called Tenable Identity Exposure cleaning.
The uninstallation process uses this new GPO by default to clean out previously installed GPOs and its SYSVOL files, the registry setting, the advanced logging policy, and the WMI filters.
To uninstall the IoA module:
-
In the command-line interface, run the following command to uninstall the IoA module:
CopyRegister-TenableIOA.ps1 -Uninstall
-
Replicate this new GPO over the entire domain. The script enforces a 4-hour delay for the replication to complete.
-
Run the following command to delete the cleaning GPO:
CopyRemove-GPO -Guid <GUID> -Domain "<DOMAIN>"
-
Optional: Run the following command to verify that the GPO no longer exists:
Copy(Get-ADDomainController -Filter *).Name | Foreach-Object {Get-GPO -Name "Tenable.ad cleaning"} | Select Displayname| measure