You can decommission an endpoint that Red Canary should no longer monitor, such as a system that has been deactivated. This is an important step in maintaining an accurate inventory of which endpoints should be monitored so Red Canary can alert you when a monitored system goes offline unexpectedly.

When you decommission an endpoint, it will no longer appear in Red Canary reports or lists of "active" endpoints, since an active endpoint is one that is being monitored by Red Canary. All data about the endpoint and the endpoint's threat history is retained. When decommissioning, certain Endpoint Protection Platform (EPP) / Endpoint Detection and Response (EDR) platforms allow sensor uninstallation to be enqueued.

Only users with the Admin role can decommission the Endpoint.

You can decommission endpoints and optionally choose to request uninstallation of the EPP/EDR sensor.

Decommission an endpoint

1. View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.
2. Click Decommission. 
3. For EPP/EDR platforms that support remote sensor uninstallation, choose whether you would like Red Canary to trigger uninstallation when the endpoint next checks in or to leave the sensor. In nearly all circumstances, you should choose to trigger sensor uninstallation.
   Note: If you do not choose to uninstall the sensor, the sensor will still report to the EDR platform and will only be decommissioned from Red Canary.
4. Click Confirm Decommission.

Decommission multiple endpoints

1. From Red Canary click Endpoints in the site navigation.
2. Click the (□) icon on one or more endpoints that you want to decommission.
3. Click Decommission.
4. For EPP/EDR platforms that support remote sensor uninstallation, choose whether you would like Red Canary to trigger uninstallation when the endpoint next checks in or to leave the sensor. In nearly all circumstances, you should choose to trigger sensor uninstallation.
5. Click Confirm Decommission. 

What happens to the decommissioned endpoint in Red Canary?

Decommissioning doesn't delete the endpoint from Red Canary even if the sensor is uninstalled, as the endpoint will still be accessible from the Endpoints page. Use the state:decommissioned filter on the Endpoint page to display all decommissioned endpoints.

What if I need to “recommission/reinstate” an endpoint?

You can reinstate any decommissioned endpoint by selecting reinstate it in the top banner while viewing the endpoint.

You can also use the Red Canary "Reinstate" API query to bulk reinstate your endpoints. 

To view the Red Canary "reinstate" API query documentation, click on your User icon on the top right of your Red Canary dashboard and select "API" from the menu.  Once you are in the API documentation page, scroll down to find Endpoint Users Operations about Endpoint Users. 

What if threatening activity is identified on a decommissioned endpoint?

If the sensor software is still installed and a decommissioned sensor comes back to life, it will resume sending telemetry to Red Canary. In this case, the endpoint would still be monitored for threatening activity.