Decommissioning Symantec EDR


Article ID: 223603


Updated On:


Endpoint Detection and Response


You are planning to remove an Endpoint Detection and Response appliance from your environment and need guidance in what things to consider.


Before Deactivating the EDR, you want to consider connected applications like SEP, Splunk, OAuth. The goal is to avoid issues post shutdown that require the same EDR to be recommissioned online.


Release : All versions of EDR


When removing the SEPM Controller connection, EDR sends a removal command that restores the Insight policy to the default Insight policy. 

EDR might not delete the Symantec EDR Quarantine Policy or Symantec EDR Host Integrity Policy. These should be disabled manually if they exist post removal of the SEPM connection.

For other connectors, EDR is not required to be online in order to remove the receiving end of their functions, such as Splunk. Other considerations depend on the Administrators policy and preference only.
Environmental considerations and cleanup (DHCP reservations, DNS entries, User accounts etc.) are not considered here.