Forum Discussion
MDE disable or uninstall
Hello All,
We have onboarded devices to MDE in a setup as follows,
1. Onboard devices to Entra as hybrid entra joined devices
2. Sync/Enroll devices to Intune from on-premise SCCM through co-management config.
3. Onboard devices to MDE from Intune through EDR policy.
Once the device are onboarded, how can we do the following,
1. Disable DFE on a device (to disable protection while troubleshooting. Can we just stop the services?)
2. Uninstall DFE from a device (offboarding through a script would also remove all the policies applied to the device immediately?)
Please guide.
Hello,
In your setup, where devices are onboarded to Microsoft Defender for Endpoint (MDE) through Intune, there are specific steps for temporarily disabling Defender for Endpoint (DFE) and for offboarding or uninstall.
To temporarily disable DFE on a device, follow these steps:
Using Intune Device Configuration Profiles:Instead of stopping services directly on the device (as Intune policies may re-enable them), you can create a Device Configuration profile in Intune to temporarily adjust certain settings for troubleshooting purposes.
For example, you can disable real-time protection or cloud-delivered protection, which is often sufficient for troubleshooting.
In Intune, go to Endpoint security > Antivirus, and create a policy to modify Microsoft Defender Antivirus settings.
Using PowerShell for Short-Term Disabling on a Single Device:If you have administrative access to the device, you can temporarily disable real-time protection using PowerShell:
Set-MpPreference -DisableRealtimeMonitoring $true
Keep in mind that this setting might be reset if Intune re-applies its policies, so this is best used for short-term troubleshooting only.Uninstalling or Offboarding Defender for Endpoint (DFE)
If you need to completely remove DFE from a device, you can either offboard the device or uninstall Defender for Endpoint.
Offboarding the Device via Intune
Offboarding a device will stop it from being monitored by Defender for Endpoint, and all applied policies will be removed. Here’s how to offboard via Intune:
Download the Offboarding Script:
- Log in to the Microsoft 365 Defender portal and go to Settings > Endpoints > Onboarding.
- Select your OS (e.g., Windows 10/11), then download the offboarding package.
- This package includes a script that you can deploy through Intune to offboard the device.
Deploy the Offboarding Script via Intune:
- In Intune, go to Devices > Scripts and create a new Windows script.
- Upload the downloaded offboarding script and assign it to the devices you wish to offboard.
- Once the script runs, the devices will be offboarded from MDE, and all associated policies will be removed.
Note: Offboarding a device from Defender for Endpoint immediately removes all monitoring and policies associated with it. Use this only on devices you intend to permanently remove from MDE.
- AlikocIron Contributor
Hello,
In your setup, where devices are onboarded to Microsoft Defender for Endpoint (MDE) through Intune, there are specific steps for temporarily disabling Defender for Endpoint (DFE) and for offboarding or uninstall.
To temporarily disable DFE on a device, follow these steps:
Using Intune Device Configuration Profiles:Instead of stopping services directly on the device (as Intune policies may re-enable them), you can create a Device Configuration profile in Intune to temporarily adjust certain settings for troubleshooting purposes.
For example, you can disable real-time protection or cloud-delivered protection, which is often sufficient for troubleshooting.
In Intune, go to Endpoint security > Antivirus, and create a policy to modify Microsoft Defender Antivirus settings.
Using PowerShell for Short-Term Disabling on a Single Device:If you have administrative access to the device, you can temporarily disable real-time protection using PowerShell:
Set-MpPreference -DisableRealtimeMonitoring $true
Keep in mind that this setting might be reset if Intune re-applies its policies, so this is best used for short-term troubleshooting only.Uninstalling or Offboarding Defender for Endpoint (DFE)
If you need to completely remove DFE from a device, you can either offboard the device or uninstall Defender for Endpoint.
Offboarding the Device via Intune
Offboarding a device will stop it from being monitored by Defender for Endpoint, and all applied policies will be removed. Here’s how to offboard via Intune:
Download the Offboarding Script:
- Log in to the Microsoft 365 Defender portal and go to Settings > Endpoints > Onboarding.
- Select your OS (e.g., Windows 10/11), then download the offboarding package.
- This package includes a script that you can deploy through Intune to offboard the device.
Deploy the Offboarding Script via Intune:
- In Intune, go to Devices > Scripts and create a new Windows script.
- Upload the downloaded offboarding script and assign it to the devices you wish to offboard.
- Once the script runs, the devices will be offboarded from MDE, and all associated policies will be removed.
Note: Offboarding a device from Defender for Endpoint immediately removes all monitoring and policies associated with it. Use this only on devices you intend to permanently remove from MDE.
- drivesafelyBrass ContributorHello Alikoc,
Thank you for your response.
1. Temporarily Disabling Defender for Endpoint (DFE):
We’ve noticed some delay in policy application. For quick troubleshooting, would stopping services locally disable both real-time and cloud controls? Is stopping only "Microsoft Defender Antivirus Service" (MsMpEng.exe) sufficient, or should we also stop "Windows Defender Advanced Threat Protection Service" (MsSense.exe)?
Alternatively, we can create a policy as you suggested.
2. Offboarding from Microsoft Defender for Endpoint (MDE):
After offboarding a device, will it automatically re-onboard via the EDR policy in Intune? How frequently does the EDR policy check?
Additionally, we’ve observed that some policies remain applied post-offboarding. Does removal take time, or are there manual steps required?
Thank you.- AlikocIron Contributor
Hello drivesafely
Yes, It may take some time, so if you do it manually, you can get faster results.
If the solution worked for you, can you mark it as Marked a solution.
Best Regards,
Ali Koc