Forum Discussion

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    This is by design, you do not want to remove data on a device that might turn out later to be involved in an incident.

  • Vlad_Buharevich 

     

    Hi Vlad,

    I'm experiencing the same issue, so I've turned to PowerShell as it usually has a bit more oomph.

     

    Copilot has suggested that the below script should prune the device named 'pc01' from Defender, Intune and Entra (Azure AD).

     

    I will be testing it a little later, but you can put -whatif after each command line to see what it will do. If you're not sure on how to do this, copy and paste the below script into Copilot/ChatGPT etc, and ask it to make every command a whatif, to ensure it runs in read only mode 🙂

     

    Hope this helps!

     

    # Define the computer name
    $computerName = "pc01"

    # Remove the computer from Windows Defender
    Unregister-MpComputer -CimSession $computerName

    # Remove the computer from Microsoft Entra (formerly Azure AD)
    # Connect to Microsoft Entra with the necessary permissions
    Connect-MgGraph

    # Find the device in Microsoft Entra
    $entraDevice = Get-MgDeviceManagementManagedDevice -All $true | Where-Object { $_.DeviceName -eq $computerName }

    # Remove the device if it exists in Microsoft Entra
    if ($entraDevice) {
    Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $entraDevice.Id
    } else {
    Write-Host "Device not found in Microsoft Entra."
    }

    # Remove the computer from Intune
    # Assuming the device ID is the same in Intune, use the same ID to remove the device
    if ($entraDevice) {
    Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $entraDevice.Id
    } else {
    Write-Host "Device not found in Intune."
    }

    • Xbedard's avatar
      Xbedard
      Copper Contributor

      Intelligent-Design-Australia 

      Unfortunately, the function Unregister-MpComputer doesn't seem to exist. 

      This module https://github.com/alexverboon/PSMDATP as potential put the function Remove-MDATPDevice seems to Offboard only.

       

      A thing you (and I) could try is to open Developer Tools and copy the command that is executed when you click on Exclude.

       

      Edit: After couple of test it works. In short, when you click on Exclude device, a POST command is sent to Defender. You can copy this command into Powershell with the developer tools. The command includes your session cookie and all that remains is to change the device ID. So you can create a function by modifying the sections that mention the device ID to put a variable. If you restart the computer or remain inactive, you will have to retrieve a new session cookie.

  • Nick_MTB's avatar
    Nick_MTB
    Brass Contributor
    I am currently dealing with the same issue, regardless of the API I don't understand why they haven't implemented a simple Select Device > Remove from Defender.

    Currently, I have more than 10 devices that are either renamed or physically retired but I still see them as part of the Device Inventory.

Resources