Environment
- Endpoint Standard Sensor: 3.x and Higher
- Microsoft Windows: All Supported Versions
Symptoms
- When attempting to delete a user profile using the System ~ User Profiles dialog box an error message is displayed "Profile not deleted completely. Error - The RPC Server is unavailable"
- Profile can be deleted with the sensor in bypass
Cause
A setting in the policy is blocking ransomware-like behavior from the services removing the account (svchost.exe)
Resolution
- The blocking policy will need to be refined to allow the user files to be deleted
- Setting the sensor to bypass will allow the user to be removed
Additional Notes
A terminate policy for ** performs ransomware-like behavior will block any processes touching canary files including deleting a user account
Related Content