device offboarding in microsoft 365 defender

Douglas Bonilla 71 Reputation points
2022-11-02T14:23:39.457+00:00

Hello, how are you, I have the following case:

I have also removed some devices from intune from azure ad, but in the security center they continue to appear, these devices no longer exist so that I cannot execute the offboarding script nor do it by endpoint manager policies.

I was performing the procedure through the api explorer with this post request https://api.securitycenter.windows.com/api/machines/enterdeviceidhere/offboard

Where I put the device id, the request has been successful and if I execute it it gives me the error that there is a request, however, the device has not yet been removed and a week has already passed.

Does anyone have any solution? Thanks in advance

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other
{count} votes

Accepted answer
  1. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2022-11-03T08:11:55.677+00:00

    @Douglas Bonilla

    Thank you for reaching out to us. As I understand you are trying to offboard a device which you no longer has access ( cannot-be-reached-by-GPO,-SCCM,-Intune-or-local-script ).

    As long as the machine is not in the "inactive" or "impaired communication" states, then you can offboard it from the portal using API explorer, you can check the state of the device from the defender for endpoint portal ( below screenshot for reference ).

    Also have you tried using the api's closer to your geo location, as mentioned here https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machine-api?view=o365-worldwide#:~:text=For%20better%20performance%2C%20you%20can%20use%20server%20closer%20to%20your%20geo%20location%3A

    What is the operating system of the devices which you are trying to offboard ?

    Note: This API is supported on Windows 11, Windows 10, version 1703 and later; on Windows Server 2019 and later; and on Windows Server 2012 R2 and Windows Server 2016 when using the new, unified agent for Defender for Endpoint. This API is not supported on macOS or Linux devices. - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machine-api?view=o365-worldwide#:~:text=Defender%20for%20Endpoint.-,Note,-This%20API%20is

    Would suggest to try with above recommendations, if doesnt help let me know we can connect offline and troubleshoot the same.

    Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machines?view=o365-worldwide

    256666-image.png

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Limitless Technology 44,776 Reputation points
    2022-11-03T08:43:09.063+00:00

    Hello,

    I am using also the API Offboard, but the device will not be completely deleted. MS intentionally keep the machine record until it ages to avoid cases where the machine may be found out later to be involved in a security incident or investigation.

    You can just filter these machines out of the device list by either using the “active” machine filter (machines will turn inactive after several days with no activity) or as suggested tag them and use the tag to filter them out. More on this here Device list filters (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide) There was also a recent blog series on tagging: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058

    ----------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Pavel yannara Mirochnitchenko 13,341 Reputation points MVP
    2022-11-03T11:54:38.44+00:00

    I use exclude option in M356 defender console. When you exclude device one by one, it will no longer affect the score and won't affect Security Recommendation affected device number. Before this exclude option was added in Defender console, I also tried to run offboarding scripts and wrote API script to delete them but it worked very randomly. So exclude is what I use :) (before exclude I had serious problems with scores and numbers, not anymore).

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.