Forum Discussion

neilcarden's avatar
neilcarden
Brass Contributor
May 21, 2020
Solved

Remove devices from MDATP portal

We have a couple of devices that are showing in MDATP which we would like to get rid of, however we are not in a position to run any scripts... One was registered in InTune by mistake and has been u...
  • KateAWin's avatar
    KateAWin
    May 29, 2020

    neilcarden Sorry for the confusion, it's poorly labeled in ATP. Here is a screenshot of what it should look like before you run the query (it looks like you're entering the comment in the bottom "Response body" when it should be the top unlabeled input box):

     

     

    Thank you,
    Kate

     

     

aatishsharma64's avatar
aatishsharma64
Copper Contributor
Oct 02, 2021

Has it worked for anyone?
1. Copy the machine you want to offboard in the machine list and obtain the machine ID from the URL (…/machines/<machine ID>)
2. Navigate to API explorer (Left pane in ATP > Partners & APIs > API explorer)
3. Change first drop-down to "POST"
4. Paste this URL (https://api.securitycenter.windows.com/api/machines/{machine-id}/offboard)
5. Enter machine ID in the URL (keep the entire URL, just replace <MachineID>)
6. Run query (This will force machine to run the offboarding script next time the machine checks in.)
7. Include this comment (remove the first and last quotations):

"{

"Comment": "Offboard machine by automation"

}"

8. Repeat 1-6 for each machine you'd like to remove

iamdmitriev's avatar
iamdmitriev
Copper Contributor
Oct 26, 2021

aatishsharma64 

Yes, it is working for "Windows 10, version 1703 and later, or Windows Server 2019 and later."

For all Oses, which onboarding to WD ATP via script, not via MMA.

But they disappear after next query to the devices.

  • Jonhed's avatar
    Jonhed
    Steel Contributor
    Oct 27, 2021
    Leaving the "I want to delete the actual data entries to clean up" argument aside, there is actually no need to offboard the orphaned devices. (at least if nothing has changed during the last 9 months)

    When talking to the MDE support, I was told the orphaned entries will be removed regardless of the "onboard/offboard" status, after the device has been inactive long enough.
    Long enough meaning the span of the data retention period.

    The offboard action is only really "required" when the device itself needs to detach itself from MDE, say during troubleshooting or when you want to stop using MDE.
    (This is a summary of my talk with MDE support somewhere around February or so)
    • iamdmitriev's avatar
      iamdmitriev
      Copper Contributor
      Oct 27, 2021
      Partially disagree you. It is not a good idea to wait auto deletion of obsolete devices, because they appear in reports, dashboards, analytics till their removing.

      I am still looking for solution for removing Server 2012-2016 and Mac devices from portal.
      • Jonhed's avatar
        Jonhed
        Steel Contributor
        Oct 28, 2021

        iamdmitriev 

        Devices remain in the device inventory even if they are offboarded though, do they not?

        Do you mean that devices that have been offboarded will not be included in reports?

Resources