This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 18%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
After enabling Defender for Servers Plan 2 on a subscription for testing, the plan has been deactivated; however, the servers are still visible in the Defender for Server Portal. In the Azure portal, the MDE.Windows extension remains installed on the VM.
It was expected that deactivating the plan in MDC would automatically offboard the VMs. Is there a required step in between this process? Documentation on this topic seems to be lacking.
Assistance with this issue would be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
First of all, thank you for your response — it helped me move a bit further. However, I find the offboarding process for a machine quite cumbersome. The local script (SCCM is not used in cloud) has to be executed on each machine and extension has to be removed from individual machine. as a azure platform admin i do not access on all the machines. I have followed the process on one test machine and i still see the status as active and onboarded in defender portal.
Hi PM
Thank you for your feedback. I'm glad the initial steps helped you progress further.
If you've followed the offboarding process on a test VM but it's still showing as "Active" or "Onboarded" in the Defender portal, here are a few things to check:
Good morning, I hope you are doing well,
You can read a little bit more about this here https://learn.microsoft.com/en-us/defender-endpoint/offboard-machines
Also I made this guide for you;
To offboard VMs from Defender for Servers Plan 2, follow these steps:
Uninstall the MDE.Windows extension:
- In the **Microsoft Defender portal**, go to **Settings** > **Offboard**.
- Select the operating system of the VM and follow the prompts to complete the offboarding process **1** **2**.
**Verify the offboarding**:
- Check the **Event Viewer** on the VM for events from the **WDATPOnboarding** source to confirm successful offboarding **2**.
**Remove policies and configurations**:
- If you used **Group Policy**, **Configuration Manager**, or **Mobile Device Management (MDM)** tools for onboarding, ensure you remove any policies or configurations related to Defender **1** **2**.
These steps should help ensure that the VMs are fully offboarded from Defender for Servers Plan 2. If you encounter any issues or need further assistance, you can refer to the official documentation
😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!
Hi @PM
I understand that you enabled Defender for Servers Plan 2 on a subscription for testing, and later deactivated it. However, you're still seeing servers listed in the Defender for Servers portal.
When you enable the Defender for Servers plan on a subscription, the native Defender for Endpoint integration in Defender for Cloud automatically deploys the Defender for Endpoint agent on supported machines as needed. This automatic onboarding installs the MDE.Windows or MDE.Linux extension, depending on the operating system.
Deactivating Defender for Servers Plan 2 does not automatically offboard virtual machines (VMs) or remove installed agents or extensions such as the MDE.Windows extension. Disabling Plan 2 only stops further billing and deployment; it does not remove existing agents or offboard the VM from Microsoft Defender for Endpoint (MDE).
To offboard the servers, you must first delete the MDE.Windows or MDE.Linux extension from the VM and then follow the offboarding process.
For detailed instructions, refer to the official documentation: https://learn.microsoft.com/en-us/defender-endpoint/onboard-server#offboard-windows-servers
Hope this helps. Do let us know if you any further queries.