You dont have javascript enabled! Please enable it!
How To Uninstall Microsoft Advanced Threat Analytics Gateway From Windows Server Core?

How To Uninstall Microsoft Advanced Threat Analytics Gateway From Windows Server Core? #ATA

Categories Active Directory | ATA | Windows Server | by
3 Min. Read
Share this post:
Share on LinkedIn

Microsoft Advanced Threat Analytics (ATA) is a security product that helps to protect an enterprise network from advanced forms of cyberattack.

In this article, we will show you how to uninstall Microsoft Advanced Threat Analytics Gateway From Windows Server Core.

Introduction

A while ago, I wrote a step-by-step guide on how to install and evaluate Microsoft Advanced Threat Analytics (ATA).

Microsoft Advanced Threat Analytics or ATA gathers information from Windows logs and uses deep packet inspection techniques to evaluate trends in network traffic to and from domain controllers and the behavior of users, devices, and resources. This way, ATA can detect suspicious activity generated by the various phases of an attack and generate alerts that specify the type of attack that might be in progress and the systems that are involved.

You can learn more about Microsoft Advanced Threat Analytics here.

The ATA product is divided into the following components:

  • ATA Center is the focal point of the ATA product and requires a dedicated server known as the ATA Center. This computer is the receiver of the information gathered from your domain controllers, and the place
    where the threat analysis occurs.

The ATA product also supports two types of gateways, as follows:

  • ATA Gateway runs on a standalone server and gathers information from domain controllers using port mirroring and event forwarding.
  • ATA Lightweight Gateway runs on a domain controller itself and gathers information locally.

Both gateway types perform many of the same functions. The standalone ATA Gateway can service multiple domain controllers, up to a maximum of 50,000 packets per second of domain controller traffic. However, the ATA Lightweight Gateways service only the domain controllers on which they are installed, and support up to 10,000 packets per second.

Scenario

To increase your domain controllers’ security further, it’s recommended to use Windows Server Core when possible.

In my environment, I have AD installed on Windows Server Core and I am leveraging the ATA Lightweight Gateway. The ATA architecture looks something like this:

Uninstall-ATA-ServerCore-02

As the network started growing, I decided to move the ATA Gateway to a dedicated server instead of using the Lightweight approach.

The new ATA architecture looks something like this:

Uninstall-ATA-ServerCore-14

In this scenario, I need to uninstall the ATA Lightweight Gateway service from the domain controller. And since I am using Windows Server Core, we don’t have a Programs and Features applet (appwiz.cpl) to uninstall the program.

Uninstall ATA Lightweight Gateway

To check the list of installed applications on Windows Server Core, you can run the following PowerShell command:

Get-WmiObject Win32_Product | Format-List

Uninstall-ATA-ServerCore-06

By default, you can see the list of installed applications in the Registry located under the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

You can open the Registry in Windows Server Core by running the “regedit” or “regedt32.exe” command. In this example, we will use PowerShell.

Open Windows PowerShell as Administrator and run the following command:

Get-ChildItem -Path Registry::HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -Recurse `
 | Get-ItemProperty | Where-Object {$_.DisplayName -eq "Microsoft Advanced Threat Analytics Gateway"} `
 | Select DisplayVersion, InstallDate, DisplayName, UninstallString, QuietUninstallString, PSPath, PSParentPath

This command uses the Get-ChildItem cmdlet to show all items directly within Windows PowerShell drive HKLM:, which corresponds to the HKEY_LOCAL_MACHINE registry hive. It pipes the output to the Get-ItemProperty cmdlet to view the registry entries in a more readable form. Then, it pipes the results to the Where-Object cmdlet, which filters the Windows PowerShell-related properties and displays only “Microsoft Advanced Threat Analytics Gateway” details.

Uninstall-ATA-ServerCore-09

Note the key properties “UninstallString” and “QuietUninstallString“ in the screenshot above.

To uninstall the ATA Gateway, you need to copy the value of “UninstallString” or “QuietUninstallString“, run it in an elevated command prompt and then press Enter.

In this example, I will use uninstall option.

"C:\ProgramData\Package Cache\{1073abb4-4e39-4b2b-b0bf-e98331eb0941}\Microsoft ATA Gateway Setup.exe" /uninstall

Uninstall-ATA-ServerCore-10

As you can see below, Microsoft Advanced Threat Analytics Uninstall wizard will launch. Click Uninstall.

Uninstall-ATA-ServerCore-11

Wait a couple of seconds and the ATA gateway uninstallation will complete successfully. Click Finish and then reboot your machine.

Uninstall-ATA-ServerCore-12

I hope this helps!

Until next time…

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.
Previous

Install System Center Data Protection Manager Agent on Windows Server Core #SCDPM #DPM

How To Enable Virtual TPM (vTPM) in Windows Server 2016 Hyper-V VM? #HyperV #WS2016

Next

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in 'Black' by selecting the Code. Thank You!