Using Intune to Remove Trend Micro with the SCUT removal tool

If you find yourself in the unfortunate position where you have a fleet of workstations with Trend Micro Worry-Free business AV installed, you want to remove it, but you don’t have the uninstall password, there’s still a way to remove the software. Hopefully, your devices are enrolled in Intune or have an RMM agent installed. Otherwise, you’ll be in for a painful removal process. You’ll need the Trend Micro removal utility (Using CUT tool to remove Security Agent – Worry-Free Business Security Services (trendmicro.com), known as SCUT. It can only be obtained from Trend Micro support, and when they issue it to you, it expires after 30 days….. Thanks, Trend, for making removing your software a royal PITA.

Anyway, After you obtain the removal utility, you have 30 days to use it. After that, you will receive the below message if you try using the tool:

Another problem is that you need .NET 3.5 installed on all your endpoints. It’s a requirement for the removal tool. You can push this out with Intune by following this blog post – https://smbtothecloud.com/install-net-framework-3-5-with-intune/.

After you have .NET 3.5 installed on your workstations or the app built in Intune, we can proceed with creating the Win32 app for the removal utility. The Trend support document does a poor job of describing how to run the utility with PowerShell. I found that running it as a CMD file (as they recommend) was not consistently working properly. The utility takes around 10-15 minutes to complete. The detection rule was being executed well before the utility finished running, so the reporting was messy and inaccurate. Using the PowerShell script below yielded much better results since it waits for the spawned process to complete:

Start-Process -Wait ".\SCUT.exe" -ArgumentList "-noinstall"

For the detection rule, I had some mixed results with what was consistently removed before a reboot. However, I found that this registry key HKEY_LOCAL_MACHINE\SOFTWARE\Trendmicro\NSC was always removed when the utility finished running successfully. So, my detection rule looks like this:

We’re not going to walk through packaging the SCUT.exe tool and our Install.ps1 (one line script above) file as a Win32 app in this post, but after you do, and you create your app, your app should look similar to the screenshot below.

Assign to your target devices, and within a day you should be TrendMicro-free.