Uninstall Indicators of Attack

Required Role: Administrator on the local machine.

To uninstall the Indicators of Attack (IoA) module, you run a command that creates a new Group Policy Object (GPO) called Tenable Identity Exposure cleaning.

The uninstallation process uses this new GPO by default to clean out previously installed GPOs and its SYSVOL files, the registry setting, the advanced logging policy, and the WMI filters.

Note: If you changed the name of the initial GPO, you must pass it to the uninstaller so that it knows which GPO to uninstall. To pass the new GPO name, use the parameter -GpoDisplayName.

Manual Removal of Outdated GPO Folders from SYSVOL

In some cases, when reinstalling the IoA GPO, older folders may remain in the SYSVOL directory due to a Microsoft feature. If the Directory Listener recognizes these outdated folders as the IoA folder, it can lead to detection failures.

Perform the following procedure to ensure a clean removal of outdated IoA GPO folders, preventing detection issues during reinstallation.