cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How offborded and deleted device.

IlyaGN
Copper Contributor

‎Jun 29 2022 10:09 PM - edited ‎Jun 29 2022 10:13 PM

‎Jun 29 2022 10:09 PM - edited ‎Jun 29 2022 10:13 PM

How offborded and deleted device.

I have 1 device which i can't offboarded or deleted.
When i onborded (use policy in MEM) device Win10 20H2. All was fine. Sensors - Active.
After upgrade OS to Win 10 21H2. Sensor status has become "No sensors data".
I used difrent ways to resolv problem.
Live Response session and MDE Client Analyzer. Results - all tests connectivity completed successfully.
Try offboarded - local scrip, MEM policy. On device status Offboarded. On portal MS 365 defender status - Onboarded.
Used API
Get https://api.securitycenter.microsoft.com/api/machines/9*******0
"lastSeen": "2022-06-15T03:55:01.3802913Z",
"healthStatus": "NoSensorData",
"onboardingStatus": "Onboarded",

Post https://api.securitycenter.microsoft.com/api/machines/9*******0/offboard
"code": "InvalidRequestBody",
"message": "Request body is incorrect"

Any ideas how fix that?

911 Views
0 Likes
1 Reply
Reply
1 Reply
IlyaGN

‎Jul 26 2022 09:33 PM

‎Jul 26 2022 09:33 PM

Re: How offborded and deleted device.

 

I solved my problem.
Tried various cleanings and checks. Nothing helped.
I disabled MS Defender (using policies in Intune).
And deleted all folders from
C:\Program Files\Windows Defender Advanced Threat Protection
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection
And deleted in regedit
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection

Did a reboot.
launched
DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow
Did a reboot.
All services have been restored.
The device has been redefined.
Devices running Windows 11 automatically enroll using MEM MS Defender for Endpoint - Onbording profile
Everything worked right away. Within 10 minutes, the device was already connected to the MS 365 Defender portal. Now all telemetry is transmitted normally. The sensors are working.

0 Likes
Reply