Forum Discussion

neilcarden's avatar
neilcarden
Brass Contributor
May 21, 2020
Solved

Remove devices from MDATP portal

We have a couple of devices that are showing in MDATP which we would like to get rid of, however we are not in a position to run any scripts... One was registered in InTune by mistake and has been u...
  • KateAWin's avatar
    KateAWin
    May 29, 2020

    neilcarden Sorry for the confusion, it's poorly labeled in ATP. Here is a screenshot of what it should look like before you run the query (it looks like you're entering the comment in the bottom "Response body" when it should be the top unlabeled input box):

     

     

    Thank you,
    Kate

     

     

KateAWin's avatar
KateAWin
Brass Contributor
May 26, 2020

Hello

 

I have ran into this issue previously and found a great fix that doesn't involve contacting the users or even having physical access to their machine. Please follow these steps:

 

  1. Copy the machine you want to offboard in the machine list and obtain the machine ID from the URL (…/machines/<machine ID>)
  2. Navigate to API explorer (Left pane in ATP > Partners & APIs > API explorer)
  3. Change first drop-down to "POST"
  4. Paste this URL (https://api.securitycenter.windows.com/api/machines/{machine-id}/offboard)
  5. Enter machine ID in the URL (keep the entire URL, just replace <MachineID>)
  6. Run query (This will force machine to run the offboarding script next time the machine checks in.)
  7. Include this comment (remove the first and last quotations):

               "{

               "Comment": "Offboard machine by automation"

               }"

     8. Repeat 1-6 for each machine you'd like to remove

 

Hope that helps!

Thanks, 

Kate

  • George Simos's avatar
    George Simos
    Copper Contributor
    Apr 03, 2023
    That's very good to know, however it requires that the device is online and the offboarding can kick in. If the device is not online (e.g. decommissioned), then I guess we have to wait until it gets removed after the retention period expires for it right?
    • Groove200's avatar
      Groove200
      Brass Contributor
      Apr 19, 2023
      Correct. It will tidy itself up when retention expires.

      I initially questioned this as I like things clean, however when the reason was explained, ie if there is a mechanism to manually remove stuff from Defender, then there is an attack surface that can leverage that mechanism and that would be bad times. Id rather have it this way than some bad actor removing everything 😉
  • argie4's avatar
    argie4
    Copper Contributor
    Dec 10, 2020

    KateAWin Getting this error:

     

     

    Any ideas?

     

  • neilcarden's avatar
    neilcarden
    Brass Contributor
    May 26, 2020

    KateAWin Thanks for your response... I have tried this on two machines... and get the following error

     

    {
        "error": {
            "code": "InvalidRequestBody",
            "message": "Request body is incorrect",
            "target": "a66d6701-05de-45ea-xxxx-439235eec2cf"
        }
    }
     
    Google search doesn't return much in way of help
    • KateAWin's avatar
      KateAWin
      Brass Contributor
      May 27, 2020

      neilcarden In order to post the HTML on this web page, I had to include quotation marks before and after the brackets: "{}" 

       

      Remove only those two quotation marks, but keep the rest of the code. Also, you can give it a try without entering anything in the body. I would assuming the comment is optional, though I've never tried it myself.

       

      Thank you,

      Kate

Resources