device offboarding in microsoft 365 defender

Question

Hello, how are you, I have the following case:

I have also removed some devices from intune from azure ad, but in the security center they continue to appear, these devices no longer exist so that I cannot execute the offboarding script nor do it by endpoint manager policies.

I was performing the procedure through the api explorer with this post request https://api.securitycenter.windows.com/api/machines/enterdeviceidhere/offboard

Where I put the device id, the request has been successful and if I execute it it gives me the error that there is a request, however, the device has not yet been removed and a week has already passed.

Does anyone have any solution? Thanks in advance

Answer 1

@Douglas Bonilla

Thank you for reaching out to us. As I understand you are trying to offboard a device which you no longer has access ( cannot-be-reached-by-GPO,-SCCM,-Intune-or-local-script ).

As long as the machine is not in the "inactive" or "impaired communication" states, then you can offboard it from the portal using API explorer, you can check the state of the device from the defender for endpoint portal ( below screenshot for reference ).

Also have you tried using the api's closer to your geo location, as mentioned here https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machine-api?view=o365-worldwide#:~:text=For%20better%20performance%2C%20you%20can%20use%20server%20closer%20to%20your%20geo%20location%3A

What is the operating system of the devices which you are trying to offboard ?

Note: This API is supported on Windows 11, Windows 10, version 1703 and later; on Windows Server 2019 and later; and on Windows Server 2012 R2 and Windows Server 2016 when using the new, unified agent for Defender for Endpoint. This API is not supported on macOS or Linux devices. - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machine-api?view=o365-worldwide#:~:text=Defender%20for%20Endpoint.-,Note,-This%20API%20is

Would suggest to try with above recommendations, if doesnt help let me know we can connect offline and troubleshoot the same.

Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machines?view=o365-worldwide

Answer 2

Hello,

I am using also the API Offboard, but the device will not be completely deleted. MS intentionally keep the machine record until it ages to avoid cases where the machine may be found out later to be involved in a security incident or investigation.

You can just filter these machines out of the device list by either using the “active” machine filter (machines will turn inactive after several days with no activity) or as suggested tag them and use the tag to filter them out. More on this here Device list filters (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide) There was also a recent blog series on tagging: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058

----------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

I use exclude option in M356 defender console. When you exclude device one by one, it will no longer affect the score and won't affect Security Recommendation affected device number. Before this exclude option was added in Defender console, I also tried to run offboarding scripts and wrote API script to delete them but it worked very randomly. So exclude is what I use :) (before exclude I had serious problems with scores and numbers, not anymore).