The preferred method to uninstall Defenders is via the Console UI under
Manage > Defenders.
Regularly uninstalling stale Defenders keeps your view of the environment clean and conserves licenses. You can uninstall Defenders can be decommissioned from the Console UI or the Prisma Cloud API.
Prisma Cloud automatically removes stale Defenders for you. Automatic removal is recommended in large scale environments. If Defenders are not uninstalled many can become permanently offline and clutter your view of the environment. To keep your view clean, the Prisma Cloud Console automatically uninstalls Defenders that haven’t been connected to it for more than one day. This keeps the list of connected Defenders valid for any given 24-hour window.
The refresh period can be configured up to a maximum of 365 days under
Manage > Defenders > Deployed Defenders | Auto-defend > Advanced settings > Automatically remove disconnected Defenders after (days).
We recommend letting Prisma Cloud automatically uninstall stale Defenders rather than using the UI or API.
Decommission Defenders manually
You can manually decommission the Defenders from the Console.
- Go toManage > Defendersto see a list of all the Defenders connected to Console.
- UnderActions, selectDeleteto decommission the respective Defender.
Decommission Defenders with the API
The following endpoint can be used to decommission a Defender.
Deletes a Defender from the database. This endpoint does not actually uninstall Defender. Use the fully qualified domain name (FQDN) of the host. You can find the FQDN of the host in
Manage > Defenders > Actions > Manage.
$ curl -X DELETE \ -u <USERNAME>:<PASSWORD> 'https://<CONSOLE>:8083/api/v1/defenders/aqsa-cto.sandbox'
Force Uninstall Defender
If a Defender instance is not connected to the Prisma Cloud Console, or is otherwise not manageable through the UI, you can manually remove it.
Go to the Linux host where the Container Defender runs and use the following command:
$ sudo /var/lib/twistlock/scripts/twistlock.sh -u
If you run this command on the same Linux host where the Prisma Cloud Console is installed, it also uninstalls Prisma Cloud Console.
On the Linux host where Host Defender runs, use the following command:
$ sudo /var/lib/twistlock/scripts/twistlock.sh -u defender-server
On the Windows host where Defender runs, use the following command:
C:\Program Files\Prisma Cloud\scripts\defender.ps1 -uninstall
Uninstall all Prisma Cloud Resources in a Kubernetes Environment
To uninstall all Prisma Cloud resources from a Kubernetes-based deployment, delete the twistlock namespace. Deleting this namespace deletes every resource within the namespace.
- Delete the twistlock namespace.$ kubectl delete namespaces twistlock