This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 24%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
Hello, how are you, I have the following case:
I have also removed some devices from intune from azure ad, but in the security center they continue to appear, these devices no longer exist so that I cannot execute the offboarding script nor do it by endpoint manager policies.
I was performing the procedure through the api explorer with this post request https://api.securitycenter.windows.com/api/machines/enterdeviceidhere/offboard
Where I put the device id, the request has been successful and if I execute it it gives me the error that there is a request, however, the device has not yet been removed and a week has already passed.
Does anyone have any solution? Thanks in advance
@Douglas Bonilla Thanks for posting in our Q&A.
From intune's point of view, there is no helpful information I can share with you. For this issue, it is suggested to contact Microsoft Defender for Endpoint support to get more accurate help. Here is the support link:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/contact-support?view=o365-worldwide
Thanks for your understanding.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Douglas Bonilla ,
Just checking to see if you were able to get the information you needed? If the information helped you, please Accept one of the answers. This will help others in the community who might be searching for similar information.
Otherwise let us know if you have further questions!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Thank you for reaching out to us. As I understand you are trying to offboard a device which you no longer has access ( cannot-be-reached-by-GPO,-SCCM,-Intune-or-local-script ).
As long as the machine is not in the "inactive" or "impaired communication" states, then you can offboard it from the portal using API explorer, you can check the state of the device from the defender for endpoint portal ( below screenshot for reference ).
Also have you tried using the api's closer to your geo location, as mentioned here https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machine-api?view=o365-worldwide#:~:text=For%20better%20performance%2C%20you%20can%20use%20server%20closer%20to%20your%20geo%20location%3A
What is the operating system of the devices which you are trying to offboard ?
Note: This API is supported on Windows 11, Windows 10, version 1703 and later; on Windows Server 2019 and later; and on Windows Server 2012 R2 and Windows Server 2016 when using the new, unified agent for Defender for Endpoint. This API is not supported on macOS or Linux devices. - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machine-api?view=o365-worldwide#:~:text=Defender%20for%20Endpoint.-,Note,-This%20API%20is
Would suggest to try with above recommendations, if doesnt help let me know we can connect offline and troubleshoot the same.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello,
I am using also the API Offboard, but the device will not be completely deleted. MS intentionally keep the machine record until it ages to avoid cases where the machine may be found out later to be involved in a security incident or investigation.
You can just filter these machines out of the device list by either using the “active” machine filter (machines will turn inactive after several days with no activity) or as suggested tag them and use the tag to filter them out. More on this here Device list filters (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide) There was also a recent blog series on tagging: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058
----------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
I use exclude option in M356 defender console. When you exclude device one by one, it will no longer affect the score and won't affect Security Recommendation affected device number. Before this exclude option was added in Defender console, I also tried to run offboarding scripts and wrote API script to delete them but it worked very randomly. So exclude is what I use :) (before exclude I had serious problems with scores and numbers, not anymore).