Removing Microsoft Defender installed from Office Suite Shim

Thanks for this. I was wondering why I haven't seen the Defender shim installed on any of our Macs, since it seems like we would be getting this as well, and after reading the linked article, this line explains why.

"Alternatively, you can use the Standard Suite Installer. This option installs Word, Excel, PowerPoint, Outlook, OneNote, OneDrive, and Microsoft AutoUpdate. It does not include Teams nor the Defender shim."

I'm only using the Standard Suite installer when I push out Office 365, as we like to install Teams separately. So it seems like I dodged this issue, just by luck!

To make my post a little more useful, I'm wondering if the uninstall needs to be run as the logged in user and not as root? I mean, that wouldn't really make sense since my assumption is to remove Defender you'd need to be running as an admin, right? That can't really be it I suppose.

Another thought. I don't have it installed anywhere so I can't check this, but is that "uninstall" a script of some sort, or is it an executable? If it's a script, can you open it and examine what it's doing? Maybe you can extract the pieces from it you need and drop it into a separate script in Jamf. Just a thought.

You're in the same mind-set I was, thinking I could pop it open and just run its contents as a script, but it's an executable. When I ran it locally on a test box, it popped up a window asking for credentials to remove the 2 system extensions that are installed during the install - hence my interest in more than just "Dragging to trash..." We WERE relying on the Teams component of it, which is why I had chosen that particular installer. What really throws me is that it's not that it fails, I just acts like there's no uninstaller present: 

The error implies maybe it needed a "/bin/sh" command in front of it, but that doesn't work either. I am tempted to open a case with MSFT but I figure the collective brain power of the Mac folks can defeat Redmond.

Silly question, but did you try it with double quotes around the path instead of singles? The "No such file or directory" error makes me think it's not handling the space correctly in /Library/Application Support

That's the one thing I didn't try - but will now. I tried it with the single quote and absolute path and neither worked.

So same result.  Maybe one of the folks from the Microsoft world that lurk in the Apple shadows can weigh in...?

Ok, interesting. If I had to guess, I suspect that this binary is something that has to be run directly within shell environment, rather than called in a GUI-less way the way a Jamf Pro policy would. If so, that's very shortsighted on the part of Microsoft. The Mac team there has done a pretty good job of making sure their tools are executable from MDMs like Jamf. I'm not sure why this one doesn't work.

I wish I could test it out, but I don't have a machine right now with Defender installed on it. I may choose to let it install on a test Mac just to see what's what. If only because while we've escaped this so far, it's not impossible it may end up installed on some machines at some point, and I'll need to figure out some way to remove without involving users.

I did note that on the learn.microsoft.com page you linked to above, it does say for the uninstall steps.

1. Go to Finder > Applications.

2. Right click on Microsoft Defender for Business, and then choose Move to Trash.

But it sounds like this leaves behind some cruft, so it's curious that would be their first recommendation.

I posted last week with a smart group and script used to resolve shim installs:

https://community.jamf.com/t5/jamf-pro/configuration-profile-to-block-quot-defender-shim-quot/m-p/302169#M265523

Hi @daniel_behan Maybe I'm missing it, but looking over what you posted, it looks like for the uninstall/removal, you're just doing a rm -rf /Applications/Microsoft\\ Defender.app type of command in your script. Is that right? If so, as @easyedc mentioned above, this may not completely remove everything that gets installed by the Defender shim, hence why they were trying to run the uninstall command, which does seem to remove all the installed components.

OK, well that's good to know. @easyedc  I wonder if why you're getting the 'No such file or directory' error is because the 'uninstall' is not actually present on the device?

I'm trying to remember if I'd ever launched the Defender App before try to run through the removal process. I'd already planned to wipe my test box and re-run the installer with the shim and re-capture what is laid down via composer to make sure.

I've tested this today, removing the app is more than enough, I think the Library folder and the corresponding uninstall file it's created only if someone runs the app and actually installs the full version.

Thanks for that confirmation @merlin 

I'm guessing then that the no such file or directory error is because it's running on devices where that doesn't exist, i.e. the app was never run by a user to do a full install.

@easyedc you might want to consider using a more fleshed out script for the removal then. Something to detect if the "uninstall" binary exists if Microsoft Defender.app is in Applications.

Though I don't remember doing it, at some point I must have launched the Defender.app.  I did a wipe/rebuild of a test box, installed the Business Pro suite and there isn't a Defender path in the Application Support directory or any of the other stuff I'd found.  I do have the start of a script digging out all the stuff, so I'll probably finish it out, but it does look like just the rm -Rf of the /Applications/Microsoft Defender.app path looks like it'll do the trick.

I do like where @mm2270's thought process was of checking if that uninstall path is there, and if not, just doing the removal of the app.