cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Remove devices from MDATP portal

neilcarden
Brass Contributor

‎May 21 2020 01:25 AM

‎May 21 2020 01:25 AM

Remove devices from MDATP portal

We have a couple of devices that are showing in MDATP which we would like to get rid of, however we are not in a position to run any scripts...

One was registered in InTune by mistake and has been unregistered, and we cannot contact the owner anymore - and its still checking in.

One device failed and was rebuilt with the same name but is now showing twice.

 

Can we remove these?

Neil

111K Views
0 Likes
28 Replies
Reply
28 Replies
Ambarish RH

‎May 21 2020 01:49 AM

‎May 21 2020 01:49 AM

Re: Remove devices from MDATP portal

@neilcarden The only option is to get the offboarding script and run that on the computer you want to offboard. I had this situation when I was evaluating MDATP, which was on a different portal and lost access to the portal.

 

Regarding existing device, if you haven't off boarded it using the script, you will see two machines but after some time the old machine will be shown as inactive and then as per the retention period you set on the portal, the device will be removed. What I usually do in this case is tag the old computer and this way I can easily identify the old machine name.

0 Likes
Reply
neilcarden

‎May 21 2020 02:26 AM

‎May 21 2020 02:26 AM

Re: Remove devices from MDATP portal

Ah yes OK, makes sense, the old device is showing as inactive. 

 

So apart from running the offboarding script on the other device that is now unregistered, that will never drop off?

 

Neil

0 Likes
Reply
Ambarish RH

‎May 21 2020 02:38 AM

‎May 21 2020 02:38 AM

Re: Remove devices from MDATP portal

@neilcarden If the machine is not communicating the MDATP portal, after few days it will be set as inactive and based on the retention you set, will then be removed.

 

I just created a video where I explained this and the retention period, you can check there as well, but it talks more about the new endpoint manager portal. https://www.youtube.com/watch?v=aHhjQKtbS98

 

0 Likes
Reply
Nikos316

‎May 23 2020 10:46 AM

‎May 23 2020 10:46 AM

Re: Remove devices from MDATP portal

The ability to manually remove machines would be a welcomed feature. I’m in the process of rolling WDATP out via Azure Security Center and have multiple duplicate machine entries as a result of some reconfiguration work that we’re doing on the servers.

Would be handy to be able to manually delete the orphaned entries.
2 Likes
Reply
Thijs Lecomte

‎May 25 2020 04:15 AM

‎May 25 2020 04:15 AM

Re: Remove devices from MDATP portal

You could offboard the device through the API, this is one way of removing it without running the script
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/offboard-...
1 Like
Reply
KateAWin

‎May 26 2020 12:20 PM

‎May 26 2020 12:20 PM

Re: Remove devices from MDATP portal

Hello

 

I have ran into this issue previously and found a great fix that doesn't involve contacting the users or even having physical access to their machine. Please follow these steps:

 

  1. Copy the machine you want to offboard in the machine list and obtain the machine ID from the URL (…/machines/<machine ID>)
  2. Navigate to API explorer (Left pane in ATP > Partners & APIs > API explorer)
  3. Change first drop-down to "POST"
  4. Paste this URL (https://api.securitycenter.windows.com/api/machines/{machine-id}/offboard)
  5. Enter machine ID in the URL (keep the entire URL, just replace <MachineID>)
  6. Run query (This will force machine to run the offboarding script next time the machine checks in.)
  7. Include this comment (remove the first and last quotations):

               "{

               "Comment": "Offboard machine by automation"

               }"

     8. Repeat 1-6 for each machine you'd like to remove

 

Hope that helps!

Thanks, 

Kate

11 Likes
Reply
neilcarden

‎May 26 2020 12:52 PM

‎May 26 2020 12:52 PM

Re: Remove devices from MDATP portal

@KateAWin Thanks for your response... I have tried this on two machines... and get the following error

 

{
    "error": {
        "code": "InvalidRequestBody",
        "message": "Request body is incorrect",
        "target": "a66d6701-05de-45ea-xxxx-439235eec2cf"
    }
}
 
Google search doesn't return much in way of help
0 Likes
Reply
KateAWin

‎May 27 2020 07:07 AM

‎May 27 2020 07:07 AM

Re: Remove devices from MDATP portal

@neilcarden In order to post the HTML on this web page, I had to include quotation marks before and after the brackets: "{}" 

 

Remove only those two quotation marks, but keep the rest of the code. Also, you can give it a try without entering anything in the body. I would assuming the comment is optional, though I've never tried it myself.

 

Thank you,

Kate

0 Likes
Reply
neilcarden

‎May 29 2020 08:26 AM

‎May 29 2020 08:26 AM

Re: Remove devices from MDATP portal

@KateAWin Thanks again for responding however I am a bit confused.

 

So I am running this query (not real machine id)

 

https://api.securitycenter.windows.com/api/machines/aaf12345677955b102547d22ff302/offboard

 

Do I need { } either side of the machine ID?

 

And where do I type the comments bit??

 

I have attached a pic.

 

api.PNG

0 Likes
Reply
best response confirmed by neilcarden (Brass Contributor)
KateAWin

‎May 29 2020 02:15 PM

‎May 29 2020 02:15 PM

Solution

Re: Remove devices from MDATP portal

@neilcarden Sorry for the confusion, it's poorly labeled in ATP. Here is a screenshot of what it should look like before you run the query (it looks like you're entering the comment in the bottom "Response body" when it should be the top unlabeled input box):

 

KateAWin_0-1590786877713.png

 

Thank you,
Kate

 

 

0 Likes
Reply
neilcarden

‎May 31 2020 05:28 AM

‎May 31 2020 05:28 AM

Re: Remove devices from MDATP portal

@KateAWin Thank you that worked a charm... well the command did, just need to see if it actually offboards it now! :)

 

Thanks

Neil

2 Likes
Reply
MattoNZ

‎Jul 14 2020 07:05 PM

‎Jul 14 2020 07:05 PM

Re: Remove devices from MDATP portal

@neilcarden Anything changed on this front?  Seems a massive oversite to not have a delete / purge entries option from the Portal itself.  It's pretty obvious there are going to be scenarios where you can't gracefully "offboard" a device.  Duplicates, Stolen, Damaged, Lost, wiped and reloaded etc.. etc...

 

Kate's method sounds like a server side offboard push which is obviously not much use for any of the above scenarios.

 

Where is the Data Retention period settings?  There's one generic one that's set to 180 days for all data is that it?

7 Likes
Reply
Davor_Dmitric

‎Jul 20 2020 04:19 AM

‎Jul 20 2020 04:19 AM

Re: Remove devices from MDATP portal

@neilcarden, Is there any time period after device is retired or wiped that actually automatically is deleted from Defender ATP or it has to be done manually?

Regards,

Davor

0 Likes
Reply
neilcarden

‎Jul 20 2020 06:53 AM

‎Jul 20 2020 06:53 AM

Re: Remove devices from MDATP portal

@Davor_Dmitric @MattoNZ 

 

Hi the retention period is set in the Settings>General>Data Retention> Data Retention section.

 

I have this set to 180 days, however on my device inventory view I have this set to 30 days. So I don't see those devices that are no longer in use after 30 days.

 

I agree it would be nice to actually remove those devices especially as most of mine are ones that have been renamed to the correct naming convention.

1 Like
Reply
argie4

‎Dec 10 2020 07:17 AM

‎Dec 10 2020 07:17 AM

Re: Remove devices from MDATP portal

@KateAWin Getting this error:

 

argie4_0-1607613387459.png

 

Any ideas?

 

0 Likes
Reply
Thijs Lecomte

‎Dec 10 2020 10:34 PM

‎Dec 10 2020 10:34 PM

Re: Remove devices from MDATP portal

You are using it on an unsupported platform.
From the docs:
This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later. This API is not supported on MacOS or Linux devices.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/offboard-...
0 Likes
Reply
Jose Colon

‎Feb 02 2021 08:21 PM

‎Feb 02 2021 08:21 PM

Re: Remove devices from MDATP portal

Has anyone tried scripting this if you have multiple devices you want to offload? 

@KateAWin 

0 Likes
Reply
Victober

‎Feb 09 2021 07:48 AM

‎Feb 09 2021 07:48 AM

Re: Remove devices from MDATP portal

In MDATP portal i have 140 inactive machines which are actually one pc with name conf-04, it have different Device Id, this 140 machines was created from 01.01.2021 17:34 to 10.01.2021 2:53
i tried to use offboard via API but get error :

{

"error": {
"code": "ResourceNotFound",
"message": "Machine {machine id} was not found.",
"target": "9ccde3bd-f5ca-4fa4-b21e-f45ab59fd6ff"
}
}

Data Retention now 30 days but this inactive machines is in list.

How to remove this machines?  And how this computer created so much copies with different device id? 

Thanks!

0 Likes
Reply
Victober

‎Feb 10 2021 02:35 AM

‎Feb 10 2021 02:35 AM

Re: Remove devices from MDATP portal

Just reinstalled OS on this machine, gave same name , and all 140 inactive machines was disappeared. Only one active machine now. So problem is solved.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by neilcarden (Brass Contributor)
KateAWin

‎May 29 2020 02:15 PM

‎May 29 2020 02:15 PM

Solution

Re: Remove devices from MDATP portal

@neilcarden Sorry for the confusion, it's poorly labeled in ATP. Here is a screenshot of what it should look like before you run the query (it looks like you're entering the comment in the bottom "Response body" when it should be the top unlabeled input box):

 

KateAWin_0-1590786877713.png

 

Thank you,
Kate

 

 

View solution in original post

0 Likes
Reply