Uninstall Indicators of Attack

Required Role: Administrator on the local machine.

To uninstall the Indicators of Attack (IoA) module, you run a command that creates a new Group Policy Object (GPO) called Tenable Identity Exposure cleaning.

The uninstallation process uses this new GPO by default to clean out previously installed GPOs and its SYSVOL files, the registry setting, the advanced logging policy, and the WMI filters.

Note: If you changed the name of the initial GPO, you must pass it to the uninstaller so that it knows which GPO to uninstall. To pass the new GPO name, use the parameter -GpoDisplayName.

To uninstall the IoA module:

  1. In the command-line interface, run the following command to uninstall the IoA module:

    Register-TenableIOA.ps1 -Uninstall
  2. Replicate this new GPO over the entire domain. The script enforces a 4-hour delay for the replication to complete.

  3. Run the following command to delete the cleaning GPO:

    Remove-GPO -Guid <GUID> -Domain "<DOMAIN>"
  4. Optional: Run the following command to verify that the GPO no longer exists:

    (Get-ADDomainController -Filter *).Name | Foreach-Object {Get-GPO -Name "Tenable.ad cleaning"} | Select Displayname| measure