Forum Discussion
Remove from security portal
Hello!
This may be a really stupid question. We have a device which keeps popping up in the Defender portal as having hack tools installed.
We believe this belonged to an old consultant and somehow this got installed on their device a long time ago (it has no access to 365 and is not compliant but installed via intune I am guessing when they tried to add it)
We have no access to the device, and cant seem to remove it as it keeps popping up again with alerts for the hack tool each day.
It is MDE managed and not intune managed so cant use the intune methods. Absolutely no access or control over the end device.
Any ideas how to get this off of our defender portal? We dont own the device, have any responsibility over it or even know who owns it.
Thanks
Chris
1 Reply
You could try to offboard the device via API explorer through the Defender portal.
First get the device Id in Defender XDR of that device, either by going to the device page or using API (https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines).
Then offboard the device via https://learn.microsoft.com/en-us/defender-endpoint/api/offboard-machine-api
After that, the device will no longer send any data to the portal. It will still be visible though and will be removed after 180 days automatically (https://learn.microsoft.com/en-us/defender-endpoint/offboard-machines).
