Endpoint Protection

View Only

Centrally managed 14.3 client uninstallation with password

Sepe posted Apr 02, 2025 01:28 AM

I recently updated SEPM to 14.3 RU10. With this update, it's no longer possible to remove the client password settings. Now we are updating clients with RU10 and some of the clients fail updating so we would need to first remove the old client (mostly the problem updating has been noticed with 14.3.7388.4000 or some older versions). Updating and also the removing should be done with SCCM, but now we are stuck, as the uninstallation asks for a password and it apparently cannot be set in the SCCM job. There are several servers, where this needs to be done, so going manual is not an option. Does anyone have encountered this and if so, what would be the correct procedure to get the uninstallation done? Clean Wipe also does not accept any command line so that is not an option either? OS usually is Windows 2016, also some Win 10 workstations are noticed to fail the update.

Alex Milford posted Apr 03, 2025 08:37 AM

Did you see the Release Notes about this? What's new for Symantec Endpoint Protection 14.3 RU10?

Seems that there is now a global default client password, but it can still be overridden at the group level.

Sepe posted Apr 04, 2025 12:42 AM

Yes, I did (obviously ;-> ) read the release notes before, but here the problem is, that what ever the password is, it cannot be embedded in the SCCM job. I got info from Support, "Unfortunately, for now there is no option to uninstall using SCCM as password is required (and I confirm that the password is also required when using the CleanWipe tool), " But apparently a patch is on the way within a few weeks, that allows the password to be removed, so the uninstallation can be done without the password.

Benjamin John posted Apr 09, 2025 02:54 PM

Just ran into this issue. Stupid Broadcom always screwing something up.

Benjamin John posted Apr 10, 2025 02:06 PM

@sepe They have released a refresh version.

Sepe posted Apr 11, 2025 12:18 AM

Yea, I also noticed the "refresh" yesterday, so fingers and toes crossed, that it has the needful. Let's see, (when I have the time to do the update...)

Scarlet Penn posted Apr 11, 2025 01:52 AM

The new SEPM 14.3 RU10 update is causing issues with client password settings, making uninstallation via SCCM tricky. You can try using a script with the Symantec_Cleanup tool to silently remove the client, or create a custom uninstall script to bypass the password prompt. If Download Scarlet doesn’t support CleanWipe, ensure you're using the latest tools for better compatibility with RU10.

Sepe posted Apr 11, 2025 05:55 AM

I'll try the update at some point. I also sincerely hope, that there is no such thing as a custom script, that can bypass the password prompt. If there is, quite a flaw in security, if the product could still be uninstalled without a password, a hackers dream...

Broadcom Employee Russ_V posted Apr 11, 2025 05:40 PM

Sepe, and others,

Thanks for reaching out to the Broadcom Community.

Starting with the upgrade to SEPM 14.3 RU10 Build 27659, we added a mandatory client password requirements to improve the security of our product. One of these changes was to remove the ability to disable the client password requirement in the Symantec Endpoint Protection Manager.

As per the discussion in this forum and concerns raised to Broadcom Support, this specific change has been reverted and we have released a new SEPM 14.3 RU10 (Refresh) version (Build 27665) on April 8th to restore this ability.

Kindly upgrade to the latest SEPM 14.3 RU10 (Refresh) version (Build 27665) to be regain the option to remove the mandatory client password.

Once removed, try to reinstall our product again.

For more information see the latest release notes:
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/release-notes/Whats-new-for-Symantec-Endpoint-Protection-14-3-RU10.html

Let me know if you need anything else.

Best,

Russ_V

Sepe posted Apr 23, 2025 04:03 AM

Just curious about the SQL rights required on this refresh update. Usually the version update requires SA rights on the SQL server, does this refresh also need that much rights, or are the usual DB owner rights enough with this, if the only change here is the possibility to remove the password setting on the manager?

Also besides this point I have been wondering, that why so much rights are required in the first place? We have our Manager DB in a SQL hotel, where also several other applications have their DB:s, so it's always a bit unconfortable to run the update if it does change something that affects the other applications.

Scarlet Penn posted Aug 03, 2025 07:20 AM

After updating SEPM to 14.3 RU10, client uninstall password settings can no longer be removed remotely, and since SCCM cannot pass the uninstall password, updating or removing older clients (e.g., 14.3.7388.4000) is failing. Vedu doesn’t support command-line use, making manual removal impractical across multiple servers. A viable workaround is using Symantec’s SEPPrep tool, which allows scripted uninstallation with password support and can be deployed via SCCM. Alternatively, if the uninstall password is known, a scripted MSIEXEC command with the password may work. For large-scale environments, contacting Broadcom for a CleanWipe version or tool with silent password handling is recommended.