Windows - Software Lifecycle - Uninstall AnyDesk

What the AnyDesk removal Worklet does

This Automox Worklet™ uninstalls AnyDesk from Windows endpoints and removes the installation directory so no executable, configuration file, or service binary is left behind. The evaluation script inspects both ${env:ProgramFiles}\AnyDesk\AnyDesk.exe and ${env:ProgramFiles(x86)}\AnyDesk\AnyDesk.exe. If either path resolves, the endpoint exits with code 80 and is flagged non-compliant in Automox.

The remediation script then invokes the vendor uninstaller in place with Start-Process -FilePath <AnyDesk.exe> -ArgumentList '--remove --silent' -Wait. This is the same command line AnyDesk documents for unattended removal, so service teardown, registry key removal, and shortcut cleanup happen the way the vendor expects. After the uninstaller returns, the Worklet calls Remove-Item -Path <parent> -Recurse -Force on the AnyDesk program directory to clear any leftover artifacts.

Both 32-bit and 64-bit installations are handled in one pass. Workstations and servers are both in scope; the Worklet declares device_type WORKSTATION and SERVER. Because the policy is FixNow-compatible, you can pull the trigger on a single endpoint during an active incident without waiting for the next scheduled evaluation.

Why remove AnyDesk from managed Windows endpoints

AnyDesk became a recurring entry on incident-response timelines for a reason. The vendor disclosed a production-systems breach in early 2024 and rotated signing certificates and customer credentials in response. Throughout 2024 and 2025, AnyDesk has been the named remote-access tool in tech-support scam playbooks, Akira and BlackCat ransomware intrusions, and CISA advisories on dual-use software. If AnyDesk is not your organization's approved remote-support platform, every installation on the fleet is an unmonitored ingress point with no SSO, no session recording, and no audit trail your SOC can pivot off.

Removing AnyDesk by hand on a single Windows host takes a minute. Locating every endpoint that still has the AnyDesk service running, the AnyDesk.exe binary on disk, or a remaining Uninstall registry entry takes longer than most organizations admit. This Worklet runs the same registered UninstallString or msiexec /x command across the conference room laptop, the lobby kiosk, and the back-office Windows Server in a single policy execution, and the activity log captures per-endpoint exit codes so the next compliance review shows AnyDesk has actually left the fleet rather than just left the most recently audited host.

How AnyDesk removal works

1. Evaluation phase: The Worklet builds an array of two candidate paths, ${env:ProgramFiles(x86)}\AnyDesk\AnyDesk.exe and ${env:ProgramFiles}\AnyDesk\AnyDesk.exe, and runs Test-Path against each one. The first match writes a FOUND message to the activity log and exits 80 to signal non-compliance. If neither path exists, the script writes 'Device is compliant' and exits 0.

2. Remediation phase: For the matched AnyDesk.exe, the script runs Start-Process -FilePath $dir -ArgumentList '--remove --silent' -Wait, which is the vendor-supported unattended uninstall (see the AnyDesk CLI knowledge base). On a clean return, Split-Path resolves the parent install directory and Remove-Item -Path $parentDir -Recurse -Force deletes the AnyDesk folder under Program Files or Program Files (x86). The loop breaks after the first successful removal so the script does not double-process a single endpoint. Any thrown exception writes the error to stderr and exits 1; otherwise the script exits 0.

AnyDesk removal requirements

• Windows 10, Windows 11, Windows Server 2016, 2019, 2022, or later (both workstation and server device types are supported)

• PowerShell 3.0 or later (the Automox agent already meets this on every supported Windows build)

• Local Administrator context for the Automox agent so the script can read and delete content under Program Files and Program Files (x86); the default agent execution context already satisfies this

• No additional parameters to configure; install paths are predefined to ${env:ProgramFiles}\AnyDesk\AnyDesk.exe and ${env:ProgramFiles(x86)}\AnyDesk\AnyDesk.exe

• MSI-style uninstalls via msiexec /x are not required for the standard AnyDesk MSI deployment, because the in-place AnyDesk.exe --remove --silent path handles both per-machine MSI and standalone installs

• FixNow-compatible: the policy can be triggered on a single endpoint from the Automox console for incident response without waiting on the scheduled cycle

Expected state after AnyDesk removal

Test-Path '${env:ProgramFiles}\AnyDesk\AnyDesk.exe' and Test-Path '${env:ProgramFiles(x86)}\AnyDesk\AnyDesk.exe' both return False. Get-Service AnyDesk returns no service, and the AnyDesk entry no longer appears in Settings > Apps > Installed apps or in Programs and Features. The next Automox evaluation exits 0 with the message 'Device is compliant', and the endpoint stops appearing on the non-compliant list for this policy.

If a user reinstalls AnyDesk after removal, the next scheduled evaluation re-flags the endpoint and the remediation script runs again, so the baseline holds without operator intervention. For audit evidence, capture the Automox activity log entries. They record the matched path on each run plus the 'Uninstall was successful.' confirmation. Pair them with a Get-WinEvent query against the System and Application logs for AnyDesk service teardown. The Worklet pairs naturally with policies that block AnyDesk-related domains at the DNS or proxy layer and with an alternative-remote-support deployment (TeamViewer Host, BeyondTrust, or your approved platform) so users have an authorized route the moment AnyDesk goes away.