There are a couple of blogs out there regarding removing McAfee products with Intune. Those solutions have always worked for me in the past, until recently. Specifically, this post by Mr Tbone. It walks through the removal process using the McAfee Consumer Product Removal tool (MCPR) with a PowerShell script and a Win32 app. As I mentioned already, I’ve used this solution in the past successfully. For the first time in a while, I encountered a client who needed McAfee Security removed from around half of their devices.
The previously linked solution from Mr T-Bone was not working this time around. I tried testing it manually, but the removal tool was refusing to execute when launched from the command line:
No entries were made in Event viewer and the mccleanup log simply had these entries. One of which is “ValidateParentProcess failed”:
Some additional searching led me to a Reddit post of a user encountering the same issue I had – McAfee Removal using Win32 App, mccleanup.exe fails. : r/Intune (reddit.com) .
After seeing this and doing some more testing, I confirmed there were no issues with the script, and that McAfee must have made some recent changes. Next, I tried the uninstall string for the MaAfee Security application, which is:
“C:\Program Files\McAfee\MSC\mcuihost.exe” /body:misp://MSCJsRes.dll::uninstall.html /id:uninstall
I messed with this for a little while also, because all this does is launch the GUI uninstaller. I attempted to find any silent command switches and also guessed with all the common ones, but there is no silent removal using mcuihost.exe.
Someone suggested on Reddit that the newer versions of MCPR contain a captcha that prevents you from running the removal from the command line (https://www.reddit.com/r/PowerShell/comments/wdkp67/uninstalling_mcafee_security_through_ps_as_part/).
After seeing this, I did some more digging through my OneDrive and found an old version of the McAfee Consumer Product Removal tool (MCPR) from 2022. After extracting it, I compared the versions of mccleanup.exe, which is the program used when executing MCPR from the command line. The old version I had buried in my OneDrive is 10.4.123.0. The current version at the time of writing that can be downloaded from the McAfee site is 10.5.328.0.
If I tried using Mr Tbone’s script to run the remover using the old MCPR, it worked and removed the McAfee Security app successfully. However, the real meat of the MCPR is the subfolders, which contain the configuration settings to remove all the various programs. To elaborate on that, when you download MCPR, you can extract the exe with 7zip, the extracted $1 directory contains the mccleanup.exe program as well as various subfolders, which represent the different products:
As new products are added for the cleanup utility, subfolders are added. When I compared the old to the new version, I only found one new folder – WPS. If we look at the master.ini file, which is also in the $1 directory, we will see it’s really just telling the removal tool to cycle through each of those subfolders, and reference the configuration file in each of those subfolders for instructions on how to remove the product:
Here’s the master.ini file:
And an example snip from the wps100.ini configuration file:
So, after looking through this, I had the idea to try overwriting the new mccleanup.exe file with the old version. All other files/folders are the latest versions. Trying the removal script with the old mccleanup version and the newest versions of the extracted MCPR folders worked. Whatever was changed in the newer versions of mccleanup.exe disallows us from launching it on its own from the command line. It appears it needs to be launched from McClnUI and you need to use the GUI.
So, to summarize, download the MCPR utility. Then Extract with 7zip or a comparable program:
Navigate to the $1 directory from the extracted contents and replace the mccleanup.exe file with the old version here – MS-Cloud-Scripts/intune/McAfee-Remover at main · gnon17/MS-Cloud-Scripts (github.com).
We can see the older version of 10.4.123.0
Then pick up on Mr Tbone’s post with his script to package this as a Win32 app and then deploy it to your target devices. There’s no telling if or when this may stop working, but for now, it’s a solution. If you test this manually, you’ll notice that it takes a while to run, but you can view the mccleanup.txt log file that gets generated in the same directory where your mccleanup.exe file is and view the details.
I have this packaged as an intunewin file already on GitHub if you want to use my .intunewinfile. Although, eventually as more McAfee products are added to the MCPR utility, you’ll want to repackage this. If you do use my intunewin file, you can use the below install command and detection rule. Just make sure for the detection rule you select key does not exist:
While I was almost finished writing this post and still doing some research online, I also found that Andrew Taylor’s debloat script contains some code to remove McAfee. If you don’t want to run the whole debloat script, you can grab the parts for the McAfee removal here: public/De-Bloat/RemoveBloat.ps1 at main · andrew-s-taylor/public · GitHub. Search for the #McAfee comment to locate his removal code. Andrew’s blog post for his debloat script can be found here – Removing Bloatware from Windows 10 & 11 via script – Andrew Taylor (andrewstaylor.com).