Forum Discussion

neilcarden's avatar
neilcarden
Brass Contributor
May 21, 2020
Solved

Remove devices from MDATP portal

We have a couple of devices that are showing in MDATP which we would like to get rid of, however we are not in a position to run any scripts... One was registered in InTune by mistake and has been u...
  • KateAWin's avatar
    KateAWin
    May 29, 2020

    neilcarden Sorry for the confusion, it's poorly labeled in ATP. Here is a screenshot of what it should look like before you run the query (it looks like you're entering the comment in the bottom "Response body" when it should be the top unlabeled input box):

     

     

    Thank you,
    Kate

     

     

KateAWin's avatar
KateAWin
Brass Contributor
May 26, 2020

Hello

 

I have ran into this issue previously and found a great fix that doesn't involve contacting the users or even having physical access to their machine. Please follow these steps:

 

  1. Copy the machine you want to offboard in the machine list and obtain the machine ID from the URL (…/machines/<machine ID>)
  2. Navigate to API explorer (Left pane in ATP > Partners & APIs > API explorer)
  3. Change first drop-down to "POST"
  4. Paste this URL (https://api.securitycenter.windows.com/api/machines/{machine-id}/offboard)
  5. Enter machine ID in the URL (keep the entire URL, just replace <MachineID>)
  6. Run query (This will force machine to run the offboarding script next time the machine checks in.)
  7. Include this comment (remove the first and last quotations):

               "{

               "Comment": "Offboard machine by automation"

               }"

     8. Repeat 1-6 for each machine you'd like to remove

 

Hope that helps!

Thanks, 

Kate

George Simos's avatar
George Simos
Copper Contributor
Apr 03, 2023
That's very good to know, however it requires that the device is online and the offboarding can kick in. If the device is not online (e.g. decommissioned), then I guess we have to wait until it gets removed after the retention period expires for it right?
  • Groove200's avatar
    Groove200
    Brass Contributor
    Apr 19, 2023
    Correct. It will tidy itself up when retention expires.

    I initially questioned this as I like things clean, however when the reason was explained, ie if there is a mechanism to manually remove stuff from Defender, then there is an attack surface that can leverage that mechanism and that would be bad times. Id rather have it this way than some bad actor removing everything 😉

Resources