Views:

Manual Endpoint Removal

Manually Remove from Endpoint Inventory Poseidon-mode Console

In Endpoint Inventory console, endpoints of any status, including those with status "XDR sensor enabled" or "Action Required", are all allowed to be removed.

On Endpoint Inventory, select the endpoints you would like to remove, similar to how you would enable them. After selecting endpoints, a Remove button should be shown.

^{Click the image to enlarge.}
By clicking the Remove button, a pop-up window will be shown, where you can confirm the endpoints to remove. Click Remove Now to remove the endpoints.

^{Click the image to enlarge.}

Manually Remove from Endpoint Inventory Foundation-mode Console

In the Endpoint Inventory Foundation-mode Console, only sensor-only endpoints can be removed. To remove endpoints, follow these steps:

On Endpoint Inventory, select the endpoints that you want to remove.

^{Click the image to enlarge.}
Take note that the Remove Endpoint does not apply to Standard Endpoint Protection or Server & Workload Protection agents.

You may need to remove/delete the agent from their respective product console:
- Standard Endpoint Protection > Directories > Product Servers > Apex One as a Service link > Follow Remove Agent documentation
- Server & Workload Protection > Computers > Follow Delete Computer documentation
Once it is a sensor-only agent (no Protection manager), click on Remove Endpoint button. A popup will appear, displaying the list of endpoints you've selected for removal, along with important details you should note.

^{Click the image to enlarge.}
After clicking Remove Now on the popup, it will take approximately 15 minutes for the endpoints to be removed.

An audit log Remove Agent will be created after the agents are removed, you can go to Vision One console > Administration > Audit Logs, click Account tab, and filter it by Category: "Endpoint Inventory" to see this kind of audit logs, like:

^{Click the image to enlarge.}

Auto Inactive Endpoint Removal

Endpoint Inventory Poseidon-mode Console

Click on the Settings icon to open the panel, and then you will see the settings for "Agent Removal".
By default, the "Agent Removal" settings are disabled.

^{Click the image to enlarge.}

There are two checkboxes for Agent Removal:
- Inactive agent removal
  This removes inactive agents, including persistent virtual desktop agents.
  
  ^{Click the image to enlarge.}
  
  "Non-persistent" virtual desktop agents will not be removed by this setting. You may use the next setting to remove them.
- Inactive non-persistent virtual desktop agent removal
  This only removes the "non-persistent" virtual desktop agents using a different setting of inactive days.
  
  ^{Click the image to enlarge.}

Trend Vision One Endpoint Security Foundation-mode Console

To configure auto removal settings specifically for sensor-only endpoints, click the Settings icon to open the settings panel. By default, the options under Global Settings for Inactive Endpoint Removal Settings are disabled.
There are two checkboxes available for Agent Removal:

^{Click the image to enlarge.}

Automatically remove inactive Endpoint Sensor endpoints: This setting is designed to remove inactive Endpoint Sensor agents, including persistent virtual desktop agents.

"Non-persistent" virtual desktop Endpoint Sensor agents will not be removed with this setting. You can use the next setting for that purpose.
Automatically remove inactive non-persistent virtual desktop Endpoint Sensor endpoints: This setting is specifically to remove "non-persistent" virtual desktop Endpoint Sensor agents, based on the number of inactive days specified.

^{Click the image to enlarge.}

Additionally, if you wish to remove Standard Endpoint Protection and Server & Workload Protection endpoints, the drawer contains links to documents that will guide you through the process.

^{Click the image to enlarge.}

The process of removal daily begins at 00:00 according to the Trend Vision One data center region.

Region	Removal Time
US	00:00 EST(UTC-5)
EU	00:00 CET(UTC+1)
JP	00:00 JST(UTC+9)
SG	00:00 CST(UTC+8)
AU	00:00 AEST(UTC+10)
IN	00:00 IST(UTC+5:30)
ADDA	00:00 GST(UTC+4)

Backend system starts the removal process at 00:00 local time for all companies in that region, and companies are processed one by one in sequence.
For example, company A at 00:00:01 and company B at 00:00:02, the removal process for company N might be executed at 01:00:00. The finish time for the removal process depends on the number of companies.

An audit log Remove Agent will be created after the backend server removes agents, you can go to Vision One console > Administration > Audit Logs, click Account tab, and filter it by Category: "Endpoint Inventory" to see this kind of audit logs, like:

^{Click the image to enlarge.}

Frequently Asked Questions (FAQs)

Will the removal of endpoints also remove Endpoint Basecamp?
No, it only removes the visibility from the Endpoint Inventory console and Trend Vision One components, including endpoint sensor, from the endpoint side. It does not uninstall the existing Endpoint Basecamp program and the Windows/Mac/Linux Endpoint Basecamp will continue to run.

The Endpoint Basecamp can be removed with an official uninstaller which can be requested by issuing a case through Trend Micro Technical Support.
Is it possible to manage a removed endpoint again?

After Vision One Endpoint Reconnection Release
Endpoints removed after 2024/03/25 will automatically reconnect to the original company upon boot-up. This means that once removed, as long as the endpoint is online, it will automatically revert to a manageable state without requiring reinstallation of the Agent Installer. For permanent removal after 2024/03/25, please use the XBC uninstaller.

Endpoint removed before 2024/03/25

Yes, a removed endpoint can be shown up on Endpoint Inventory console again by reinstalling the agent installer which is available from the Endpoint Inventory console.

For the following endpoints, there is no need to uninstall Endpoint Basecamp first. Reinstall the agent installer at the endpoint, and then the removed endpoints will be shown on the console.
- Windows endpoints
- Mac endpoints with installed Endpoint Basecamp version is 1.2.232 or higher
- Linux endpoints with installed Endpoint Basecamp version is 872 or higher
For Mac/Linux endpoints with lower versions, the user has to request Trend Micro Technical Support for the Mac/Linux Endpoint Basecamp uninstallation tool first.

After obtaining the uninstallation tool, execute the uninstallation tool at the endpoint and then reinstall and rerun the Endpoint Inventory Agent Installer.
- If the Trend Vision One site has been migrated before for Mac/Linux endpoints, no matter which version, please uninstall Endpoint Basecamp and then reinstall the agent installer that was downloaded from the new site.
- For Windows endpoints, re-running the original EndpointBasecamp.exe in the local Program Files folder would not make this endpoint be managed again. Only re-installing the Agent Installer on the endpoint will work.
  
  ^{Click the image to enlarge.}
How does Auto Inactive Endpoint Removal work?
The removal process includes two parts:
- Server-side:
  The Endpoint Inventory server has a daily scheduled process to check if there are inactive Trend Vision One agents to remove. If there are inactive agents that meet the removal criteria, these inactive agents' records are automatically removed from the Endpoint Inventory database, and these agents will not show on the Endpoint Inventory 2.0 console once removed. An audit log will be created for the removal, you can go to Vision One console > Administration > Audit Logs, click Account tab, and filter it by Category: "Endpoint Inventory" to see this kind of audit logs, like:
  
  ^{Click the image to enlarge.}
  
  Meanwhile, the backend server creates and queues these agents' uninstall commands for removing related Trend Vision One components running on the machines. These commands will be retrieved and executed by Basecamp on those devices.
- Endpoint-side:
  After the removal, if an inactive machine goes online and connects to the server, Basecamp will retrieve and execute the uninstall command from the server and remove the related Trend Vision One components, including endpoint sensor modules, from the machine. Eventually, only the Basecamp process is left running on the device.
Will the Removal affect agents of Cloud One Workload Security or Apex One?
No, removing Vision One agents would not affect Cloud One Workload Security or Apex One agents.
On the other side, "Apex One" inactive agent cleanup is a different product and function from the Vision One inactive agent removal, and they have different behaviors. ApexOne agent's cleanup would not affect/remove Trend Vision One agents.
When to refund seat count or credit after an agent is removed?
- If the agent is removed by the process of Auto Inactive Endpoint Removal
  - for Trend Vision One account which is credit based, the credit will be refunded in 2 hours.
  - for Trend Vision One account which is seat count based, the occupied seat count will be released immediately.
- If the agent is removed by Manual Endpoint Removal
  - No matter credit based or seat count based it will be refunded immediately.
How to Remove Standard Endpoint Protection Endpoints?
For step-by-step instructions, refer to this document: Configuring Inactive Agent Removal Settings
How to Remove Server & Workload Protection Endpoints?
To learn how to remove these types of endpoints, refer to this document: Automate offline computer removal with inactive agent cleanup

Keywords: inactive endpoints removal,inactive agents removal,vision one taking out inactive endpoints,duplicate endpoints,remove endpoints,Endpoint Inventory Console,remove from search,status,tab,location,console location,how to remove endpoint,remove inactive endp

Removing endpoints from the Endpoint Inventory 2.0 and Trend Vision One Endpoint Security console

Product / Version includes:

Trend Vision OneAll

Last updated: 2024/06/07

Solution ID: KA-0012152

Category: Configure

Summary

This article illustrates how endpoints with any status can manually be removed from the Endpoint Inventory console.

Currently, there are two kinds of Endpoint Inventory console:

The Endpoint Inventory is for Trend Vision One Endpoint Security Operations. It's also called the Endpoint Inventory Poseidon-mode console.
The Endpoint Inventory is for Trend Vision One Endpoint Security Operations (for Standard Endpoint and Server & Workload Protection). It's also called the Endpoint Inventory Foundation-mode console

Both kinds of Endpoint Inventory App has two methods for users to remove endpoints:

Manual endpoint removal: users can manually select endpoints to remove.
Auto endpoint removal:
- For Endpoint Inventory Poseidon-mode console, users have the option to enable Inactive Agent Removal in Settings and then inactive endpoints will be automatically checked once a day and then removed. There are two checkboxes for the Agent Removal:
  - Inactive agent removal
  - Inactive non-persistent virtual desktop agent removal
- For Endpoint Inventory Foundation-mode console, users have the option to enable Inactive Endpoint Removal Settings within the Global settings panel. When this feature is enabled, inactive endpoints are automatically scanned once a day and removed based on the specified criteria. Below are the two checkboxes available for customers to tailor this automated removal:
  - Automatically remove inactive Endpoint Sensor endpoints: When this checkbox is selected, the system will automatically remove inactive sensor-only endpoints during its daily scan.
  - Automatically remove inactive non-persistent virtual desktop Endpoint Sensor endpoints: When enabled, the system will automatically remove inactive non-persistent virtual desktop sensor-only endpoints during the daily scan.

In Endpoint Inventory Foundation-mode console, only sensor-only endpoints are currently supported for manual removal and auto removal. For more information, you can refer the OLH document: Remove Endpoints

For more information on uninstalling Standard Endpoint Protection and Server & Workload Protection agents: see Uninstalling Agents, and Cleaning Up Uninstalled Agents.

EXPAND ALL

Manual Endpoint Removal

Manually Remove from Endpoint Inventory Poseidon-mode Console

In Endpoint Inventory console, endpoints of any status, including those with status "XDR sensor enabled" or "Action Required", are all allowed to be removed.

On Endpoint Inventory, select the endpoints you would like to remove, similar to how you would enable them. After selecting endpoints, a Remove button should be shown.

^{Click the image to enlarge.}
By clicking the Remove button, a pop-up window will be shown, where you can confirm the endpoints to remove. Click Remove Now to remove the endpoints.

^{Click the image to enlarge.}

Manually Remove from Endpoint Inventory Foundation-mode Console

In the Endpoint Inventory Foundation-mode Console, only sensor-only endpoints can be removed. To remove endpoints, follow these steps:

On Endpoint Inventory, select the endpoints that you want to remove.

^{Click the image to enlarge.}
Take note that the Remove Endpoint does not apply to Standard Endpoint Protection or Server & Workload Protection agents.

You may need to remove/delete the agent from their respective product console:
- Standard Endpoint Protection > Directories > Product Servers > Apex One as a Service link > Follow Remove Agent documentation
- Server & Workload Protection > Computers > Follow Delete Computer documentation
Once it is a sensor-only agent (no Protection manager), click on Remove Endpoint button. A popup will appear, displaying the list of endpoints you've selected for removal, along with important details you should note.

^{Click the image to enlarge.}
After clicking Remove Now on the popup, it will take approximately 15 minutes for the endpoints to be removed.

^{Click the image to enlarge.}

Auto Inactive Endpoint Removal

Endpoint Inventory Poseidon-mode Console

Click on the Settings icon to open the panel, and then you will see the settings for "Agent Removal".
By default, the "Agent Removal" settings are disabled.

^{Click the image to enlarge.}

There are two checkboxes for Agent Removal:
- Inactive agent removal
  This removes inactive agents, including persistent virtual desktop agents.
  
  ^{Click the image to enlarge.}
  
  "Non-persistent" virtual desktop agents will not be removed by this setting. You may use the next setting to remove them.
- Inactive non-persistent virtual desktop agent removal
  This only removes the "non-persistent" virtual desktop agents using a different setting of inactive days.
  
  ^{Click the image to enlarge.}

Trend Vision One Endpoint Security Foundation-mode Console

^{Click the image to enlarge.}

Automatically remove inactive Endpoint Sensor endpoints: This setting is designed to remove inactive Endpoint Sensor agents, including persistent virtual desktop agents.

"Non-persistent" virtual desktop Endpoint Sensor agents will not be removed with this setting. You can use the next setting for that purpose.
Automatically remove inactive non-persistent virtual desktop Endpoint Sensor endpoints: This setting is specifically to remove "non-persistent" virtual desktop Endpoint Sensor agents, based on the number of inactive days specified.

^{Click the image to enlarge.}

Additionally, if you wish to remove Standard Endpoint Protection and Server & Workload Protection endpoints, the drawer contains links to documents that will guide you through the process.

^{Click the image to enlarge.}

The process of removal daily begins at 00:00 according to the Trend Vision One data center region.

Region	Removal Time
US	00:00 EST(UTC-5)
EU	00:00 CET(UTC+1)
JP	00:00 JST(UTC+9)
SG	00:00 CST(UTC+8)
AU	00:00 AEST(UTC+10)
IN	00:00 IST(UTC+5:30)
ADDA	00:00 GST(UTC+4)

^{Click the image to enlarge.}

Frequently Asked Questions (FAQs)

Will the removal of endpoints also remove Endpoint Basecamp?
No, it only removes the visibility from the Endpoint Inventory console and Trend Vision One components, including endpoint sensor, from the endpoint side. It does not uninstall the existing Endpoint Basecamp program and the Windows/Mac/Linux Endpoint Basecamp will continue to run.

The Endpoint Basecamp can be removed with an official uninstaller which can be requested by issuing a case through Trend Micro Technical Support.
Is it possible to manage a removed endpoint again?

After Vision One Endpoint Reconnection Release
Endpoints removed after 2024/03/25 will automatically reconnect to the original company upon boot-up. This means that once removed, as long as the endpoint is online, it will automatically revert to a manageable state without requiring reinstallation of the Agent Installer. For permanent removal after 2024/03/25, please use the XBC uninstaller.

Endpoint removed before 2024/03/25

Yes, a removed endpoint can be shown up on Endpoint Inventory console again by reinstalling the agent installer which is available from the Endpoint Inventory console.

For the following endpoints, there is no need to uninstall Endpoint Basecamp first. Reinstall the agent installer at the endpoint, and then the removed endpoints will be shown on the console.
- Windows endpoints
- Mac endpoints with installed Endpoint Basecamp version is 1.2.232 or higher
- Linux endpoints with installed Endpoint Basecamp version is 872 or higher
For Mac/Linux endpoints with lower versions, the user has to request Trend Micro Technical Support for the Mac/Linux Endpoint Basecamp uninstallation tool first.

After obtaining the uninstallation tool, execute the uninstallation tool at the endpoint and then reinstall and rerun the Endpoint Inventory Agent Installer.
- If the Trend Vision One site has been migrated before for Mac/Linux endpoints, no matter which version, please uninstall Endpoint Basecamp and then reinstall the agent installer that was downloaded from the new site.
- For Windows endpoints, re-running the original EndpointBasecamp.exe in the local Program Files folder would not make this endpoint be managed again. Only re-installing the Agent Installer on the endpoint will work.
  
  ^{Click the image to enlarge.}
How does Auto Inactive Endpoint Removal work?
The removal process includes two parts:
- Server-side:
  The Endpoint Inventory server has a daily scheduled process to check if there are inactive Trend Vision One agents to remove. If there are inactive agents that meet the removal criteria, these inactive agents' records are automatically removed from the Endpoint Inventory database, and these agents will not show on the Endpoint Inventory 2.0 console once removed. An audit log will be created for the removal, you can go to Vision One console > Administration > Audit Logs, click Account tab, and filter it by Category: "Endpoint Inventory" to see this kind of audit logs, like:
  
  ^{Click the image to enlarge.}
  
  Meanwhile, the backend server creates and queues these agents' uninstall commands for removing related Trend Vision One components running on the machines. These commands will be retrieved and executed by Basecamp on those devices.
- Endpoint-side:
  After the removal, if an inactive machine goes online and connects to the server, Basecamp will retrieve and execute the uninstall command from the server and remove the related Trend Vision One components, including endpoint sensor modules, from the machine. Eventually, only the Basecamp process is left running on the device.
Will the Removal affect agents of Cloud One Workload Security or Apex One?
No, removing Vision One agents would not affect Cloud One Workload Security or Apex One agents.
On the other side, "Apex One" inactive agent cleanup is a different product and function from the Vision One inactive agent removal, and they have different behaviors. ApexOne agent's cleanup would not affect/remove Trend Vision One agents.
When to refund seat count or credit after an agent is removed?
- If the agent is removed by the process of Auto Inactive Endpoint Removal
  - for Trend Vision One account which is credit based, the credit will be refunded in 2 hours.
  - for Trend Vision One account which is seat count based, the occupied seat count will be released immediately.
- If the agent is removed by Manual Endpoint Removal
  - No matter credit based or seat count based it will be refunded immediately.
How to Remove Standard Endpoint Protection Endpoints?
For step-by-step instructions, refer to this document: Configuring Inactive Agent Removal Settings
How to Remove Server & Workload Protection Endpoints?
To learn how to remove these types of endpoints, refer to this document: Automate offline computer removal with inactive agent cleanup

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Removing endpoints from the Endpoint Inventory 2.0 and Trend Vision One Endpoint Security console

Manual Endpoint Removal

Manually Remove from Endpoint Inventory Poseidon-mode Console

Manually Remove from Endpoint Inventory Foundation-mode Console

Auto Inactive Endpoint Removal

Frequently Asked Questions (FAQs)

Removing endpoints from the Endpoint Inventory 2.0 and Trend Vision One Endpoint Security console

Product / Version includes:

Summary

Manual Endpoint Removal

Manually Remove from Endpoint Inventory Poseidon-mode Console

Manually Remove from Endpoint Inventory Foundation-mode Console

Auto Inactive Endpoint Removal

Frequently Asked Questions (FAQs)