Endpoint Protection

I have one of my teams who are telling me that they removed both the proactive threat and the network threat protection and yet several days later the netwoek threat protection reactivated and caused an outage.  Upon questioning the team they informed me that when the components were removed not all the machines prompted for a reboot.  Though I have told them that, unless I'm wrong on this, the policies assigned to the groups have nothing to do with what components they have installed.  They are looking to me for a better answer and all I can think is that by not rebooting the server after removing the components those components would eventually come back online.  Does this make any sense or is there something I'm not looking at?

are the versions the same?

Was there an upgrade package applied?

Have you assinged any package to the group? 

Have you made any changes in the group which is applied or you have applied any pa ckage for that group?

No changes have been applied to the group nor has there been any package assigned.  There was only a single push to a subset of the group that later had network threat and proactive threat uninstalled.  From what has been described to me the only three that had the issue were the three that were not rebooted.

Is it possible they simply disabled the component instead of removing? There is no way that I can see that if the components were fully removed, they would magically come back...and you're right, policies being applied wouldn't cause this either.

Either they didn't uninstall like they thought or they were somehow added back.

And as for the prompt, it may be version specific, were that ones that prompted on a different version from the ones that didn't. Any time NTP is removed a reboot is definitely needed.