Uninstall Cisco AnyConnect

What the Cisco AnyConnect removal Worklet does

This Automox Worklet™ uninstalls the Cisco AnyConnect Secure Mobility Client from Windows endpoints and clears the orphaned ProgramData and per-user AppData files the MSI uninstaller leaves behind. The Worklet inspects both the 32-bit and 64-bit uninstall hives, so it catches the AnyConnect package regardless of which installer was used or which Windows architecture the endpoint runs.

The PowerShell script reads each subkey under HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall, matches entries whose DisplayName contains "cisco anyconnect" and whose UninstallString points at msiexec.exe, and pulls the MSI product GUID directly from the PSChildName. That GUID is the same one Programs and Features uses, which keeps the uninstall path identical to the one a Windows administrator would invoke by hand.

Remediation runs a silent msiexec /x against each detected GUID, then recursively deletes %ProgramData%\Cisco and %SystemDrive%\Users\<user>\AppData\Local\Cisco across every user profile on the box. The Worklet returns exit code 0 on full success and exit code 1603 if any uninstall or folder delete step fails. That mirrors the standard Windows Installer fatal-error code, so existing monitoring tooling picks up the failure without new mappings.

Why uninstall Cisco AnyConnect from your fleet

Cisco AnyConnect leaves residue. The MSI removes the program files, but the per-machine %ProgramData%\Cisco directory and the per-user AppData\Local\Cisco profiles stay on disk. Those folders hold cached XML profiles, certificates, VPN gateway lists, and connection history. They re-seed configuration when AnyConnect is reinstalled and conflict with replacement VPN clients that bind to the same network adapters. They also surface as findings during privileged-data audits long after the application is supposed to be gone. The Worklet treats the uninstall as the registry removal plus the filesystem cleanup, not just the MSI call.

VPN migrations – to Cisco Secure Client, GlobalProtect, Zscaler Client Connector, Twingate, or any other replacement – finish on the schedule of the slowest endpoint. This Worklet automates both halves of the removal: the MSI uninstall against the AnyConnect ProductCode and the cleanup pass against %ProgramData%\Cisco and the per-user AppData\Local\Cisco profiles. Targeting the policy at the migration cohort means the old client is gone from every laptop, server, and remote workstation by the time the migration sign-off ticket closes, rather than weeks later when an audit pulls the software inventory.

How Cisco AnyConnect removal works

1. Evaluation phase: The Worklet enumerates HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall in both the 64-bit view (via [Microsoft.Win32.RegistryKey]::OpenBaseKey with Registry64) and the 32-bit view, looking for any subkey whose DisplayName contains "cisco anyconnect" and whose UninstallString references msiexec.exe. Every matching subkey increments an install counter. If the counter is greater than zero, the script writes "Installation Found - Flagging for Remediation" and exits 1, which Automox treats as non-compliant. A clean endpoint writes "Compliant" and exits 0.

2. Remediation phase: The Worklet pulls the MSI product GUID from each matching subkey's PSChildName. It then runs Start-Process msiexec.exe -ArgumentList '/x <guid> /qn /norestart /log*v %WINDIR%\Temp\un_AnyConnect64.log' (or the 32-bit log path) and waits for the uninstall to complete. After every detected install is removed, the script recursively deletes %ProgramData%\Cisco. It then iterates %SystemDrive%\Users to remove AppData\Local\Cisco from each profile. A clean pass exits 0; any caught uninstall or delete exception increments a failure counter and the script exits 1603.

AnyConnect removal requirements

• Windows 7 or later, including Windows Server 2008 R2 and newer; both workstation and server SKUs are supported

• PowerShell 2.0 or later (PowerShell 5.1 is recommended for Windows 10 and Windows 11 endpoints)

• Administrator privileges to read the uninstall registry hives, invoke msiexec.exe, and delete %ProgramData%\Cisco and per-user AppData folders

• Network egress is not required; the Worklet uses only the local Windows Installer database

• No parameters; the script detects every Cisco AnyConnect MSI package on the endpoint and removes all of them in a single pass

• Schedule any replacement VPN client (Cisco Secure Client, GlobalProtect, Zscaler Client Connector) as a follow-on policy after this Worklet returns Compliant

Expected endpoint state after AnyConnect removal

After a successful remediation, no DisplayName matching "cisco anyconnect" remains under HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall in either the 32-bit or 64-bit view. No Cisco AnyConnect entry appears in the Programs and Features control panel. The vpnagent.exe and vpnui.exe services and processes are gone from Get-Service and Get-Process output. The %ProgramData%\Cisco directory is removed in full, and AppData\Local\Cisco is removed for every user profile under %SystemDrive%\Users.

Validate the result by running Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object DisplayName -like '*cisco anyconnect*' and confirming the command returns nothing. Inspect %WINDIR%\Temp\un_AnyConnect32.log and un_AnyConnect64.log for the MSI verbose-uninstall trace; a clean run ends with "Removal completed successfully" and exit code 0. Re-running the evaluation Worklet on the same endpoint reports Compliant without scheduling another remediation, so a scheduled policy can be left in place as ongoing enforcement against reinstallation or restore-from-backup events.