device offboarding in microsoft 365 defender

Douglas Bonilla 66 Reputation points
2022-11-02T14:23:39.457+00:00

Hello, how are you, I have the following case:

I have also removed some devices from intune from azure ad, but in the security center they continue to appear, these devices no longer exist so that I cannot execute the offboarding script nor do it by endpoint manager policies.

I was performing the procedure through the api explorer with this post request https://api.securitycenter.windows.com/api/machines/enterdeviceidhere/offboard

Where I put the device id, the request has been successful and if I execute it it gives me the error that there is a request, however, the device has not yet been removed and a week has already passed.

Does anyone have any solution? Thanks in advance

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,837 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,267 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,721 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,543 questions
{count} votes

Accepted answer
  1. Givary-MSFT 30,756 Reputation points Microsoft Employee
    2022-11-03T08:11:55.677+00:00

    @Douglas Bonilla

    Thank you for reaching out to us. As I understand you are trying to offboard a device which you no longer has access ( cannot-be-reached-by-GPO,-SCCM,-Intune-or-local-script ).

    As long as the machine is not in the "inactive" or "impaired communication" states, then you can offboard it from the portal using API explorer, you can check the state of the device from the defender for endpoint portal ( below screenshot for reference ).

    Also have you tried using the api's closer to your geo location, as mentioned here https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machine-api?view=o365-worldwide#:~:text=For%20better%20performance%2C%20you%20can%20use%20server%20closer%20to%20your%20geo%20location%3A

    What is the operating system of the devices which you are trying to offboard ?

    Note: This API is supported on Windows 11, Windows 10, version 1703 and later; on Windows Server 2019 and later; and on Windows Server 2012 R2 and Windows Server 2016 when using the new, unified agent for Defender for Endpoint. This API is not supported on macOS or Linux devices. - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machine-api?view=o365-worldwide#:~:text=Defender%20for%20Endpoint.-,Note,-This%20API%20is

    Would suggest to try with above recommendations, if doesnt help let me know we can connect offline and troubleshoot the same.

    Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machines?view=o365-worldwide

    256666-image.png

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Limitless Technology 44,101 Reputation points
    2022-11-03T08:43:09.063+00:00

    Hello,

    I am using also the API Offboard, but the device will not be completely deleted. MS intentionally keep the machine record until it ages to avoid cases where the machine may be found out later to be involved in a security incident or investigation.

    You can just filter these machines out of the device list by either using the “active” machine filter (machines will turn inactive after several days with no activity) or as suggested tag them and use the tag to filter them out. More on this here Device list filters (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide) There was also a recent blog series on tagging: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058

    ----------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Pavel yannara Mirochnitchenko 12,411 Reputation points MVP
    2022-11-03T11:54:38.44+00:00

    I use exclude option in M356 defender console. When you exclude device one by one, it will no longer affect the score and won't affect Security Recommendation affected device number. Before this exclude option was added in Defender console, I also tried to run offboarding scripts and wrote API script to delete them but it worked very randomly. So exclude is what I use :) (before exclude I had serious problems with scores and numbers, not anymore).

    0 comments No comments