Skip to main content

Malicious Software Removal Tool Disable/Uninstall

Summary

This script disables and uninstalls the MSRT from the endpoint and provided option to creates ticket if failure detected. It also save result to the custom field MSRT Scanner Result so that the agent gets excluded from the dynamic group Malicious Software Removal Tool Uninstall-Disable group if the task ran successfully. This script can be on demand as well or by scheduling it to the group Malicious Software Removal Tool Uninstall-Disable group.

Dependencies

Sample Run

Sample Run

Check the Create Ticket flag option if you want to create ticket for the endpoint during failure and if you do not want to uninstall the MSRT KB890830 then change the MSRTUninstall value from 1 to anything and then click Continue to Scheduling.

Sample Run 2

Click Run Task

Sample Run 3

Implementation

Create Task

Malicious Software Removal Tool Disable/Uninstall
To implement this script, please Add Parameter first:

Click Add Parameter on the top right side of the new script:

Add Parameter

Set parameter CreateTicket as a flag with Default Value set to False and do not turn on the Required Field. This is set to not create a ticket by default, if required to create ticket on failure change the default value to True.

CreateTicket

Add second parameter MSRTUninstall as a Number Value with Default Value set to 1 and do not turn on the Required Field. This is set to uninstall the MSRT patches if already installed, if not required to uninstall the patch change the default value to anything other than 1.

MSRTUninstall

To implement this script, please create a new "PowerShell" style script in the system.

Create Task

  • Name: Malicious Software Removal Tool Disable/Uninstall
  • Description: This script disables and uninstalls the MSRT from the endpoint and provided option to creates ticket if failure detected. Based on the output, it sets the custom field MSRT Scanning Result.
  • Category: Security

Task Details

Script

Start by creating a row. You can do this by clicking the "Add Row" button at the bottom of the script page.

Add Rows

Row 1: Function: Pre-defined Variable

Set Pre-defined Variable

Paste the highlighted text:

Variable Name: Systemname
System Variable: Drop down Endpoint>Asset>Friendlyname

Pre-Defined Variable

Row 2: Function: PowerShell Script

Row 2 PowerShell

Row 2 PowerShell Continued

Paste in the following PowerShell script and set the expected time of script execution to 600 seconds.

### Region Strapper ###
$ProgressPreference = 'SilentlyContinue'
[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072)
Get-PackageProvider -Name NuGet -ForceBootstrap | Out-Null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

try {
    Update-Module -Name Strapper -ErrorAction Stop
}
catch {
    Install-Module -Name Strapper -Repository PSGallery -SkipPublisherCheck -Force
    Get-Module -Name Strapper -ListAvailable | Where-Object { $_.Version -ne (Get-InstalledModule -Name Strapper).Version } | ForEach-Object { Uninstall-Module -Name Strapper -MaximumVersion $_.Version }
}
(Import-Module -Name Strapper) 3>&1 2>&1 1>$null
(Set-StrapperEnvironment) 3>&1 2>&1 1>$null
$Path = 'HKLM:\SOFTWARE\Policies\Microsoft\MRT'
$Name = 'DontOfferThroughWUAU'
$KBNumber = '890830'

try {
    # Check if the registry path exists; if not, create it
    if (-not (Test-Path $Path)) {
        New-Item -Path $Path -Force
    }

    # Set the registry key value
    Set-ItemProperty -Path $Path -Name $Name -Value 1 -Type DWord -Force
    Write-Output 'Registry key set successfully.'
    Write-Log 'Registry key set successfully.' -Level Information

    #Check if MSRT Uninstall Approved
    $MSRTUninstall = '@MSRTUninstall@'
    if ($MSRTUninstall -eq 1) {
        Write-Output 'MSRT Uninstall Approved'
        Write-Log 'MSRT Uninstall Approved'
        # Check if MSRT is installed
        $msrtInstalled = Get-HotFix -Id $KBNumber -ErrorAction SilentlyContinue

        if ($msrtInstalled) {
            # Uninstall MSRT
            $uninstallProcess = Start-Process -FilePath "wusa.exe" -ArgumentList "/uninstall /kb:$KBNumber /quiet /norestart" -Wait -PassThru

            if ($uninstallProcess.ExitCode -eq 0) {
                Write-Output 'MSRT uninstalled successfully.'
                Write-Log 'MSRT uninstalled successfully.' -Level Information
            }
            else {
                Write-Output "An error occurred: MSRT uninstallation failed with exit code $($uninstallProcess.ExitCode)."
                Write-Log "An error occurred: MSRT uninstallation failed with exit code $($uninstallProcess.ExitCode)." -Level Error
            }
        }
        else {
            Write-Output 'MSRT is not installed on this system.'
            Write-Log 'MSRT is not installed on this system.' -Level Information
        }
    }
    else { 
        Write-Output 'MSRT Uninstall is suspended'
        Write-Log 'MSRT Uninstall is suspended' -Level Information
    } 
}
catch {
    Write-Output "An error occurred: $_"
    Write-Log "An error occurred: $_" -Level Error
}

Row 3: Logic: If/Then

Row 3c Logic

Row 3c Logic Continued

Row 3a: Condition: Output Contains

In the IF part, enter An error occurred in the right box of the "Output Contains" part.

Row 3a Condition

Row 3b: Function: Set Custom Field

Add a new row by clicking on the Add row button and select Set Custom Field.

Row 3b Set Custom Field

Clicking Set Custom Field opens up new window.

Custom Field: MSRT Scanner Result

Value: MSRT Disable Failed

Row 3b Set Custom Field continued

Row 3c(i): Logic: If/Then

Row 3c(i) Logic

Row 3c(i) Logic Continued

Row 3c(ii): Condition: Value

In the IF part, enter @CreateTicket@ in the right box of the "Value contains" part where Value 1 Equals to @CreateTicket@.

Row 3c(ii) Value Equals

Row 3c(iii): Function: Create Ticket

Add a new row by clicking on the Add row button.

Select Function 'Create Ticket'. When you select Create Ticket, it will open up a new window.

In this window, set the Subject as Malicious Software Removal Tool Disable failed on computer: @SystemName@ of company: %companyname%.

Body as Malicious Software Removal Tool Disable failed on the endpoint. Refer to the logs: %output%

Priority set to Low

Create Ticket

Row 3d: Function: Script Exit

Add a new row in the If section and select Script Exit.

In the script exit message, simply type Script failed to disable the Malicious Software Removal Tool. Exiting script with error. Refer to the logs: %Output%.

In the script exit message, leave it blank.

Script Exit Message

Row 4: Function: Set Custom Field

Add a new row after End If section by clicking on the Add row button and select Set Custom Field.

Row 4 Set Custom Field.

Custom Field: MSRT Scanner Result

Value: MSRT Disabled

Row 4 Set Custom field continued

Row 5: Function: Script Log

Row 5 Script Log

In the script log message, simply type Malicious Software Removal Tool disabled successfully. Refer to the logs: %Output% so that the script will send the results of the PowerShell script above to the output on the Automation tab for the target device.

Row 5 Script Log Message

Row 6: Complete

Row 6 Complete

Deployment

It is suggested to run the Task every 2 hours against the group Malicious Software Removal Tool Uninstall-Disable group

  • Go to Automation > Tasks.
  • Search for Malicious Software Removal Tool Disable/Uninstall Task.
  • Select the concerned task.
  • Click on the Schedule button to schedule the task/script.

Scheduled Task

Scheduled Task Continued

Select the relevant time to run the script and click the Do not repeat button.

Schedule Task Time

A pop-up box will appear.

Change the number of hours to 2 and click OK.

Change Hours

Select the target Device Group to schedule on the group Malicious Software Removal Tool Uninstall-Disable group.

Select Target

Now click the Run button once all customization is set to initiate the task.

Run Task

The task will start appearing in the Scheduled Tasks.

Output

  • Task log