Offboarding MDE from Windows Server 2016 failing with "[Error Id: 15, Error Level: 1] [...] failed to stop running"

Nicole-0681 81 Reputation points
2023-01-11T14:06:01.54+00:00

Due to issues we had to move away from MDE, but we are experiencing issues with the offboarding of a single server.
We've already found a similar thread with the exact same error message.
[https://social.technet.microsoft.com/Forums/windows/en-US/155881a8-0639-4511-b113-00c61e8d88d0/error-id-15-error-level-1-error-message-windows-defender-advanced-threat-protection-service

MDE results detailing missing components

As described per the thread we made sure that the offboarding package came from the right tenant, which we even verified by the SCP Tenant ID. The MDE Analyzer also yielded some results as to the Modern Unified Agent and the OMSListener not being installed, which shouldn't really matter with uninstalling MDE?
Also the path "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" is missing on that machine, "C:\ProgramData\Microsoft\Windows Defender" exists, though.
The MdeConfigMgrRegInfo.txt Log also shows the following results:

please find reg info for MdeConfigMgr flow On : 11.01.2023 2:06:38  +01:00
EnrollmentStatus : False
TenantId : False
DeviceId : False
EnrollmentPayload : False
MemConfiguration : False
LastCheckinAttempt : False
LastCheckinSuccess : False
SystemManufacturer : VMware, Inc.
SystemProductName : VMware Virtual Platform
ProductName : Windows Server 2016 Standard
UBR : 5501
OnboardedInfo : 
SenseCmConfiguration : 
NextVersion : 
InvalidVersion : 
SwitchStatus : 
InstallLocation : 
NewPlatform : 
MsSensePath : 
MsSecFltPath : False
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,699 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,491 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,906 Reputation points Microsoft Employee
    2023-01-16T13:30:05.2166667+00:00

    Hello @Nicole ,

    Thank you for posting your query on Microsoft Q&A. Could you please validate the following:

    • If the offboarding package was created more than 30 days ago, this could be confirmed from package name? If you could try deploying a newly generated offboarding package ?

    User's image

    • See if registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection exist. If yes then validate the org id in MDE portal and GUID in the registry path:
    • User's image
    • Also if you could navigate to services.msc look for Windows Defender advance threat protection service and check the status while running the offboarding package. If the service does not stop, kindly try to stop it manually followed by retrying to run offboarding package.

    User's image

    Please do let me know the results of above action plan in the comments section.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.