Offboarding VMs from Defender for Servers Plan 2

Question

Offboarding VMs from Defender for Servers Plan 2

Mohit Parasar 0

After enabling Defender for Servers Plan 2 on a subscription for testing, the plan has been deactivated; however, the servers are still visible in the Defender for Server Portal. In the Azure portal, the MDE.Windows extension remains installed on the VM.

It was expected that deactivating the plan in MDC would automatically offboard the VMs. Is there a required step in between this process? Documentation on this topic seems to be lacking.

Assistance with this issue would be greatly appreciated.

Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-05-07T11:09:47.3633333+00:00

Hi @PM

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Mohit Parasar 0 Reputation points

2025-05-08T08:04:22.37+00:00

First of all, thank you for your response — it helped me move a bit further. However, I find the offboarding process for a machine quite cumbersome. The local script (SCCM is not used in cloud) has to be executed on each machine and extension has to be removed from individual machine. as a azure platform admin i do not access on all the machines. I have followed the process on one test machine and i still see the status as active and onboarded in defender portal.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-05-21T12:16:46.3266667+00:00
Hi PM

Thank you for your feedback. I'm glad the initial steps helped you progress further.

If you've followed the offboarding process on a test VM but it's still showing as "Active" or "Onboarded" in the Defender portal, here are a few things to check:

Portal Sync Delay The Defender for Endpoint portal can take some time to reflect changes. Could you please refresh the page and check again after a short while?

Ensure Both Offboarding Steps Are Completed

The MDE.Windows extension must be removed from the VM via the Azure portal or through automation.

The offboarding script must be run locally on the VM.

Verify Offboarding via Event Viewer On the test VM, open Event Viewer > Applications and Services Logs > Microsoft > Windows > SENSE, or look under WDATPOnboarding, to confirm whether the offboarding script executed successfully.

2 answers

Your answer

Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-05-07T11:09:47.3633333+00:00

Hi @PM

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Mohit Parasar 0 Reputation points

2025-05-08T08:04:22.37+00:00

First of all, thank you for your response — it helped me move a bit further. However, I find the offboarding process for a machine quite cumbersome. The local script (SCCM is not used in cloud) has to be executed on each machine and extension has to be removed from individual machine. as a azure platform admin i do not access on all the machines. I have followed the process on one test machine and i still see the status as active and onboarded in defender portal.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2025-05-21T12:16:46.3266667+00:00

Hi PM

Thank you for your feedback. I'm glad the initial steps helped you progress further.

If you've followed the offboarding process on a test VM but it's still showing as "Active" or "Onboarded" in the Defender portal, here are a few things to check:

Portal Sync Delay The Defender for Endpoint portal can take some time to reflect changes. Could you please refresh the page and check again after a short while?

Ensure Both Offboarding Steps Are Completed

The MDE.Windows extension must be removed from the VM via the Azure portal or through automation.

The offboarding script must be run locally on the VM.

Verify Offboarding via Event Viewer On the test VM, open Event Viewer > Applications and Services Logs > Microsoft > Windows > SENSE, or look under WDATPOnboarding, to confirm whether the offboarding script executed successfully.

Answer 1

Hi @PM

I understand that you enabled Defender for Servers Plan 2 on a subscription for testing, and later deactivated it. However, you're still seeing servers listed in the Defender for Servers portal.

When you enable the Defender for Servers plan on a subscription, the native Defender for Endpoint integration in Defender for Cloud automatically deploys the Defender for Endpoint agent on supported machines as needed. This automatic onboarding installs the MDE.Windows or MDE.Linux extension, depending on the operating system.

Deactivating Defender for Servers Plan 2 does not automatically offboard virtual machines (VMs) or remove installed agents or extensions such as the MDE.Windows extension. Disabling Plan 2 only stops further billing and deployment; it does not remove existing agents or offboard the VM from Microsoft Defender for Endpoint (MDE).

To offboard the servers, you must first delete the MDE.Windows or MDE.Linux extension from the VM and then follow the offboarding process.

For detailed instructions, refer to the official documentation: https://learn.microsoft.com/en-us/defender-endpoint/onboard-server#offboard-windows-servers

Hope this helps. Do let us know if you any further queries.

Answer 2

Good morning, I hope you are doing well,

You can read a little bit more about this here https://learn.microsoft.com/en-us/defender-endpoint/offboard-machines

Also I made this guide for you;

To offboard VMs from Defender for Servers Plan 2, follow these steps:

Uninstall the MDE.Windows extension:

In the Azure portal, navigate to the VM.

Select Extensions under Settings.

Find MDE.Windows and select Uninstall 1.

Offboard the VM from Defender for Endpoint:

- In the **Microsoft Defender portal**, go to **Settings** > **Offboard**.

   - Select the operating system of the VM and follow the prompts to complete the offboarding process **1** **2**.

   **Verify the offboarding**:

      - Check the **Event Viewer** on the VM for events from the **WDATPOnboarding** source to confirm successful offboarding **2**.

      **Remove policies and configurations**:

         - If you used **Group Policy**, **Configuration Manager**, or **Mobile Device Management (MDM)** tools for onboarding, ensure you remove any policies or configurations related to Defender **1** **2**.

These steps should help ensure that the VMs are fully offboarded from Defender for Servers Plan 2. If you encounter any issues or need further assistance, you can refer to the official documentation

😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

Share via

Offboarding VMs from Defender for Servers Plan 2

2 answers

Your answer