Advanced Threat Protection PlatformEndpoint Detection and ResponseEndpoint Detection and Response Hardware
Issue/Introduction
We are in the process of decommissioning the EDR appliances. Ideally we would like to remove all data before turn off the appliances.
Environment
Release : 4.3.0
Component :
Resolution
In EDR UI, on Settings> Global, removing each SEPM Controller connection, then remove each SEP DB connection and waiting 24 hours will remove the SEP client data.
In EDR UI on the Settings> Global page, delete every other setting except for DNS and IP address.
After removing the SEPM Controller connections and SEP DB connections to prevent new events entering the event database, leave the EDR booted up and running for the vm or physical machine. EDR will automatically prune data due to age.