Forum Discussion
Vlad_Buharevich
Feb 01, 2022Copper Contributor
Remove devices from Microsoft 365 Defender portal
24 hours passed and I still see this Device in my inventory
I sent API request for all 4th devices, but same issue
- jbmartin6Iron ContributorThis is by design, you do not want to remove data on a device that might turn out later to be involved in an incident.
- Intelligent-Design-AustraliaCopper Contributor
Hi Vlad,
I'm experiencing the same issue, so I've turned to PowerShell as it usually has a bit more oomph.
Copilot has suggested that the below script should prune the device named 'pc01' from Defender, Intune and Entra (Azure AD).
I will be testing it a little later, but you can put -whatif after each command line to see what it will do. If you're not sure on how to do this, copy and paste the below script into Copilot/ChatGPT etc, and ask it to make every command a whatif, to ensure it runs in read only mode 🙂
Hope this helps!
# Define the computer name
$computerName = "pc01"# Remove the computer from Windows Defender
Unregister-MpComputer -CimSession $computerName# Remove the computer from Microsoft Entra (formerly Azure AD)
# Connect to Microsoft Entra with the necessary permissions
Connect-MgGraph# Find the device in Microsoft Entra
$entraDevice = Get-MgDeviceManagementManagedDevice -All $true | Where-Object { $_.DeviceName -eq $computerName }# Remove the device if it exists in Microsoft Entra
if ($entraDevice) {
Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $entraDevice.Id
} else {
Write-Host "Device not found in Microsoft Entra."
}# Remove the computer from Intune
# Assuming the device ID is the same in Intune, use the same ID to remove the device
if ($entraDevice) {
Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $entraDevice.Id
} else {
Write-Host "Device not found in Intune."
}- XbedardCopper Contributor
Unfortunately, the function Unregister-MpComputer doesn't seem to exist.
This module https://github.com/alexverboon/PSMDATP as potential put the function Remove-MDATPDevice seems to Offboard only.
A thing you (and I) could try is to open Developer Tools and copy the command that is executed when you click on Exclude.
Edit: After couple of test it works. In short, when you click on Exclude device, a POST command is sent to Defender. You can copy this command into Powershell with the developer tools. The command includes your session cookie and all that remains is to change the device ID. So you can create a function by modifying the sections that mention the device ID to put a variable. If you restart the computer or remain inactive, you will have to retrieve a new session cookie.
- JonhedSteel Contributor
The devices will remain listed until the retention period expires (30 days to 180 days), as is listed in the documentation.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machines?view=o365-worldwide
I do agree it would be more straight forward if the devices were also removed from the device list, but it does not appear to be possible right now. - Nick_MTBBrass ContributorI am currently dealing with the same issue, regardless of the API I don't understand why they haven't implemented a simple Select Device > Remove from Defender.
Currently, I have more than 10 devices that are either renamed or physically retired but I still see them as part of the Device Inventory.