Decommissioning Symantec EDR


Article ID: 223603


Updated On:


Endpoint Detection and Response


You are planning to remove an Endpoint Detection and Response appliance from your environment and need guidance in what things to consider.


Before Deactivating the EDR, you want to consider connected applications like SEP, Splunk, OAuth. The goal is to avoid issues post shutdown that require the same EDR to be recommissioned online.


Release : All versions of EDR


Decommissioning is complete when the SEPM connector is removed via the EDR Web UI. When removing the SEPM Controller connection, EDR sends a removal command that restores the Insight policy to the default Insight policy. All other policies from the EDR are removed. This restores the SEPM to pre-EDR specific configuration and ensures the EDR is not required to be powered on again.

For other connectors, EDR is not required to be online in order to remove the receiving end of their functions, such as Splunk. Other considerations depend on the Administrators policy and preference only.
Environmental considerations and cleanup (DHCP reservations, DNS entries, User accounts etc.) are not considered here.