Forum Discussion

IlyaGN's avatar
IlyaGN
Copper Contributor
Jun 30, 2022

How offborded and deleted device.

I have 1 device which i can't offboarded or deleted.
When i onborded (use policy in MEM) device Win10 20H2. All was fine. Sensors - Active.
After upgrade OS to Win 10 21H2. Sensor status has become "No sensors data".
I used difrent ways to resolv problem.
Live Response session and MDE Client Analyzer. Results - all tests connectivity completed successfully.
Try offboarded - local scrip, MEM policy. On device status Offboarded. On portal MS 365 defender status - Onboarded.
Used API
Get https://api.securitycenter.microsoft.com/api/machines/9*******0
"lastSeen": "2022-06-15T03:55:01.3802913Z",
"healthStatus": "NoSensorData",
"onboardingStatus": "Onboarded",

Post https://api.securitycenter.microsoft.com/api/machines/9*******0/offboard
"code": "InvalidRequestBody",
"message": "Request body is incorrect"

Any ideas how fix that?

  • IlyaGN's avatar
    IlyaGN
    Copper Contributor

     

    I solved my problem.
    Tried various cleanings and checks. Nothing helped.
    I disabled MS Defender (using policies in Intune).
    And deleted all folders from
    C:\Program Files\Windows Defender Advanced Threat Protection
    C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection
    And deleted in regedit
    \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection

    Did a reboot.
    launched
    DISM /Online /Cleanup-Image /RestoreHealth
    sfc /scannow
    Did a reboot.
    All services have been restored.
    The device has been redefined.
    Devices running Windows 11 automatically enroll using MEM MS Defender for Endpoint - Onbording profile
    Everything worked right away. Within 10 minutes, the device was already connected to the MS 365 Defender portal. Now all telemetry is transmitted normally. The sensors are working.

Resources