As we all know FEP doesn’t have tamper protection or the possibility to password protect the uninstallation of the FEP client. I normally use the collection query I posted before on my blog to automate the re-installation of the FEP client if it is uninstalled. https://ccmexec.com/2011/11/forefront-endpoint-protection-and-locally-removed/
But in the case where we have users that are local admins, I know it is a pain but the real-world, I try to do one of these tricks as well to at least make it harder for them to uninstall the FEP client.
1. Remove the Uninstallstring registry value for the FEP client, then the FEP client is no longer visible under uninstall a program in the Control Panel. I use this really simple script to achieve it:
const HKEY_LOCAL_MACHINE = &H80000002
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client"
strStringValueName = "UninstallString"
oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strStringValueName
2. The second option is to replace the uninstall key with a script prompting the user that it is not allowed to uninstall the FEP client, getting the below result.
I simply copy a vbscript with the below content to the C:\windows directory and then run it from there, sample script for the promptscript:
MsgBox "FEP is not allowed to be uninstalled", 0, "FEP Uninstaller"
Sample script for replacing the FEP uninstall string:
const HKEY_LOCAL_MACHINE = &H80000002
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client"
strStringValueName = "UninstallString"
strvalue = "wscript.exe c:\windows\fepuninst.vbs"
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strStringValueName,strValue
I hope this can be helpful, it isn’t pretty but it does it’s job.