SOLVED

Remove devices from MDATP portal

%3CLINGO-SUB%20id%3D%22lingo-sub-1407884%22%20slang%3D%22en-US%22%3ERemove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407884%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20couple%20of%20devices%20that%20are%20showing%20in%20MDATP%20which%20we%20would%20like%20to%20get%20rid%20of%2C%20however%20we%20are%20not%20in%20a%20position%20to%20run%20any%20scripts...%3C%2FP%3E%3CP%3EOne%20was%20registered%20in%20InTune%20by%20mistake%20and%20has%20been%20unregistered%2C%20and%20we%20cannot%20contact%20the%20owner%20anymore%20-%20and%20its%20still%20checking%20in.%3C%2FP%3E%3CP%3EOne%20device%20failed%20and%20was%20rebuilt%20with%20the%20same%20name%20but%20is%20now%20showing%20twice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20we%20remove%20these%3F%3C%2FP%3E%3CP%3ENeil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407983%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407983%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BThe%20only%20option%20is%20to%20get%20the%20offboarding%20script%20and%20run%20that%20on%20the%20computer%20you%20want%20to%20offboard.%20I%20had%20this%20situation%20when%20I%20was%20evaluating%20MDATP%2C%20which%20was%20on%20a%20different%20portal%20and%20lost%20access%20to%20the%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20existing%20device%2C%20if%20you%20haven't%20off%20boarded%20it%20using%20the%20script%2C%20you%20will%20see%20two%20machines%20but%20after%20some%20time%20the%20old%20machine%20will%20be%20shown%20as%20inactive%20and%20then%20as%20per%20the%20retention%20period%20you%20set%20on%20the%20portal%2C%20the%20device%20will%20be%20removed.%20What%20I%20usually%20do%20in%20this%20case%20is%20tag%20the%20old%20computer%20and%20this%20way%20I%20can%20easily%20identify%20the%20old%20machine%20name.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1408065%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1408065%22%20slang%3D%22en-US%22%3E%3CP%3EAh%20yes%20OK%2C%20makes%20sense%2C%20the%20old%20device%20is%20showing%20as%20inactive.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20apart%20from%20running%20the%20offboarding%20script%20on%20the%20other%20device%20that%20is%20now%20unregistered%2C%20that%20will%20never%20drop%20off%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1408089%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1408089%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BIf%20the%20machine%20is%20not%20communicating%20the%20MDATP%20portal%2C%20after%20few%20days%20it%20will%20be%20set%20as%20inactive%20and%20based%20on%20the%20retention%20you%20set%2C%20will%20then%20be%20removed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20created%20a%20video%20where%20I%20explained%20this%20and%20the%20retention%20period%2C%20you%20can%20check%20there%20as%20well%2C%20but%20it%20talks%20more%20about%20the%20new%20endpoint%20manager%20portal.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DaHhjQKtbS98%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DaHhjQKtbS98%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413908%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413908%22%20slang%3D%22en-US%22%3EThe%20ability%20to%20manually%20remove%20machines%20would%20be%20a%20welcomed%20feature.%20I%E2%80%99m%20in%20the%20process%20of%20rolling%20WDATP%20out%20via%20Azure%20Security%20Center%20and%20have%20multiple%20duplicate%20machine%20entries%20as%20a%20result%20of%20some%20reconfiguration%20work%20that%20we%E2%80%99re%20doing%20on%20the%20servers.%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20be%20handy%20to%20be%20able%20to%20manually%20delete%20the%20orphaned%20entries.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415925%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415925%22%20slang%3D%22en-US%22%3EYou%20could%20offboard%20the%20device%20through%20the%20API%2C%20this%20is%20one%20way%20of%20removing%20it%20without%20running%20the%20script%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Foffboard-machine-api%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Foffboard-machine-api%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418750%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418750%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20ran%20into%20this%20issue%20previously%20and%20found%20a%20great%20fix%20that%20doesn't%20involve%20contacting%20the%20users%20or%20even%20having%20physical%20access%20to%20their%20machine.%20Please%20follow%20these%20steps%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3E%3CSPAN%3ECopy%20the%20machine%20you%20want%20to%20offboard%20in%20the%20machine%20list%20and%20obtain%20the%20machine%20ID%20from%20the%20URL%20(%E2%80%A6%2Fmachines%2F%3CMACHINE%20id%3D%22%22%3E)%3C%2FMACHINE%3E%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ENavigate%20to%20API%20explorer%20(Left%20pane%20in%20ATP%20%26gt%3B%20Partners%20%26amp%3B%20APIs%20%26gt%3B%20API%20explorer)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EChange%20first%20drop-down%20to%20%22POST%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EPaste%20this%20URL%20(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fapi.securitycenter.windows.com%2Fapi%2Fmachines%2F%257bmachine-id%257d%2Foffboard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Ehttps%3A%2F%2Fapi.securitycenter.windows.com%2Fapi%2Fmachines%2F%7Bmachine-id%7D%2Foffboard%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EEnter%20machine%20ID%20in%20the%20URL%20(keep%20the%20entire%20URL%2C%20just%20replace%20%3CMACHINEID%3E)%3C%2FMACHINEID%3E%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ERun%20query%20(This%20will%20force%20machine%20to%20run%20the%20offboarding%20script%20next%20time%20the%20machine%20checks%20in.)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EInclude%20this%20comment%20(remove%20the%20first%20and%20last%20quotations)%3A%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%22%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%22Comment%22%3A%20%22Offboard%20machine%20by%20automation%22%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%7D%22%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B8.%20Repeat%201-6%20for%20each%20machine%20you'd%20like%20to%20remove%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHope%20that%20helps!%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EKate%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418837%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418837%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680251%22%20target%3D%22_blank%22%3E%40KateAWin%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20response...%20I%20have%20tried%20this%20on%20two%20machines...%20and%20get%20the%20following%20error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22error%22%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22code%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22InvalidRequestBody%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22message%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22Request%20body%20is%20incorrect%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22target%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22a66d6701-05de-45ea-xxxx-439235eec2cf%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EGoogle%20search%20doesn't%20return%20much%20in%20way%20of%20help%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1420578%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1420578%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BIn%20order%20to%20post%20the%20HTML%20on%20this%20web%20page%2C%20I%20had%20to%20include%20quotation%20marks%20before%20and%20after%20the%20brackets%3A%20%22%7B%7D%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERemove%20only%20those%20two%20quotation%20marks%2C%20but%20keep%20the%20rest%20of%20the%20code.%20Also%2C%20you%20can%20give%20it%20a%20try%20without%20entering%20anything%20in%20the%20body.%20I%20would%20assuming%20the%20comment%20is%20optional%2C%20though%20I've%20never%20tried%20it%20myself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EKate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426887%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426887%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680251%22%20target%3D%22_blank%22%3E%40KateAWin%3C%2FA%3E%26nbsp%3BThanks%20again%20for%20responding%20however%20I%20am%20a%20bit%20confused.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20am%20running%20this%20query%20(not%20real%20machine%20id)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapi.securitycenter.windows.com%2Fapi%2Fmachines%2Faaf8969262fd9031978bf7955b102547d22ff302%2Foffboard%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapi.securitycenter.windows.com%2Fapi%2Fmachines%2Faaf12345677955b102547d22ff302%2Foffboard%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20I%20need%20%7B%20%7D%20either%20side%20of%20the%20machine%20ID%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20where%20do%20I%20type%20the%20comments%20bit%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20attached%20a%20pic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22api.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195372i7E7B64A114E8EED1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22api.PNG%22%20alt%3D%22api.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1427841%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1427841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BSorry%20for%20the%20confusion%2C%20it's%20poorly%20labeled%20in%20ATP.%20Here%20is%20a%20screenshot%20of%20what%20it%20should%20look%20like%20before%20you%20run%20the%20query%20(it%20looks%20like%20you're%20entering%20the%20comment%20in%20the%20bottom%20%22Response%20body%22%20when%20it%20should%20be%20the%20top%20unlabeled%20input%20box)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22KateAWin_0-1590786877713.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195469i111111F25A97F4CE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22KateAWin_0-1590786877713.png%22%20alt%3D%22KateAWin_0-1590786877713.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3CBR%20%2F%3EKate%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1429675%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1429675%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680251%22%20target%3D%22_blank%22%3E%40KateAWin%3C%2FA%3E%26nbsp%3BThank%20you%20that%20worked%20a%20charm...%20well%20the%20command%20did%2C%20just%20need%20to%20see%20if%20it%20actually%20offboards%20it%20now!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ENeil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522463%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522463%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BAnything%20changed%20on%20this%20front%3F%26nbsp%3B%20Seems%20a%20massive%20oversite%20to%20not%20have%20a%20delete%20%2F%20purge%20entries%20option%20from%20the%20Portal%20itself.%26nbsp%3B%20It's%20pretty%20obvious%20there%20are%20going%20to%20be%20scenarios%20where%20you%20can't%20gracefully%20%22offboard%22%20a%20device.%26nbsp%3B%20Duplicates%2C%20Stolen%2C%20Damaged%2C%20Lost%2C%20wiped%20and%20reloaded%20etc..%20etc...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKate's%20method%20sounds%20like%20a%20server%20side%20offboard%20push%20which%20is%20obviously%20not%20much%20use%20for%20any%20of%20the%20above%20scenarios.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20is%20the%20Data%20Retention%20period%20settings%3F%26nbsp%3B%20There's%20one%20generic%20one%20that's%20set%20to%20180%20days%20for%20all%20data%20is%20that%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532855%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%2C%20Is%20there%20any%20time%20period%20after%20device%20is%20retired%20or%20wiped%20that%20actually%20automatically%20is%20deleted%20from%20Defender%20ATP%20or%20it%20has%20to%20be%20done%20manually%3F%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EDavor%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533156%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533156%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F311086%22%20target%3D%22_blank%22%3E%40Davor_Dmitric%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728768%22%20target%3D%22_blank%22%3E%40MattoNZ%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20the%20retention%20period%20is%20set%20in%20the%20Settings%26gt%3BGeneral%26gt%3BData%20Retention%26gt%3B%20Data%20Retention%20section.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20this%20set%20to%20180%20days%2C%20however%20on%20my%20device%20inventory%20view%20I%20have%20this%20set%20to%2030%20days.%20So%20I%20don't%20see%20those%20devices%20that%20are%20no%20longer%20in%20use%20after%2030%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20it%20would%20be%20nice%20to%20actually%20remove%20those%20devices%20especially%20as%20most%20of%20mine%20are%20ones%20that%20have%20been%20renamed%20to%20the%20correct%20naming%20convention.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

We have a couple of devices that are showing in MDATP which we would like to get rid of, however we are not in a position to run any scripts...

One was registered in InTune by mistake and has been unregistered, and we cannot contact the owner anymore - and its still checking in.

One device failed and was rebuilt with the same name but is now showing twice.

 

Can we remove these?

Neil

14 Replies
Highlighted

@neilcarden The only option is to get the offboarding script and run that on the computer you want to offboard. I had this situation when I was evaluating MDATP, which was on a different portal and lost access to the portal.

 

Regarding existing device, if you haven't off boarded it using the script, you will see two machines but after some time the old machine will be shown as inactive and then as per the retention period you set on the portal, the device will be removed. What I usually do in this case is tag the old computer and this way I can easily identify the old machine name.

Highlighted

Ah yes OK, makes sense, the old device is showing as inactive. 

 

So apart from running the offboarding script on the other device that is now unregistered, that will never drop off?

 

Neil

Highlighted

@neilcarden If the machine is not communicating the MDATP portal, after few days it will be set as inactive and based on the retention you set, will then be removed.

 

I just created a video where I explained this and the retention period, you can check there as well, but it talks more about the new endpoint manager portal. https://www.youtube.com/watch?v=aHhjQKtbS98

 

Highlighted
The ability to manually remove machines would be a welcomed feature. I’m in the process of rolling WDATP out via Azure Security Center and have multiple duplicate machine entries as a result of some reconfiguration work that we’re doing on the servers.

Would be handy to be able to manually delete the orphaned entries.
Highlighted
You could offboard the device through the API, this is one way of removing it without running the script
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/offboard-...

Hello

 

I have ran into this issue previously and found a great fix that doesn't involve contacting the users or even having physical access to their machine. Please follow these steps:

 

  1. Copy the machine you want to offboard in the machine list and obtain the machine ID from the URL (…/machines/<machine ID>)
  2. Navigate to API explorer (Left pane in ATP > Partners & APIs > API explorer)
  3. Change first drop-down to "POST"
  4. Paste this URL (https://api.securitycenter.windows.com/api/machines/{machine-id}/offboard)
  5. Enter machine ID in the URL (keep the entire URL, just replace <MachineID>)
  6. Run query (This will force machine to run the offboarding script next time the machine checks in.)
  7. Include this comment (remove the first and last quotations):

               "{

               "Comment": "Offboard machine by automation"

               }"

     8. Repeat 1-6 for each machine you'd like to remove

 

Hope that helps!

Thanks, 

Kate

Highlighted

@KateAWin Thanks for your response... I have tried this on two machines... and get the following error

 

{
    "error": {
        "code": "InvalidRequestBody",
        "message": "Request body is incorrect",
        "target": "a66d6701-05de-45ea-xxxx-439235eec2cf"
    }
}
 
Google search doesn't return much in way of help
Highlighted

@neilcarden In order to post the HTML on this web page, I had to include quotation marks before and after the brackets: "{}" 

 

Remove only those two quotation marks, but keep the rest of the code. Also, you can give it a try without entering anything in the body. I would assuming the comment is optional, though I've never tried it myself.

 

Thank you,

Kate

Highlighted

@KateAWin Thanks again for responding however I am a bit confused.

 

So I am running this query (not real machine id)

 

https://api.securitycenter.windows.com/api/machines/aaf12345677955b102547d22ff302/offboard

 

Do I need { } either side of the machine ID?

 

And where do I type the comments bit??

 

I have attached a pic.

 

api.PNG

Highlighted
Solution

@neilcarden Sorry for the confusion, it's poorly labeled in ATP. Here is a screenshot of what it should look like before you run the query (it looks like you're entering the comment in the bottom "Response body" when it should be the top unlabeled input box):

 

KateAWin_0-1590786877713.png

 

Thank you,
Kate

 

 

Highlighted

@KateAWin Thank you that worked a charm... well the command did, just need to see if it actually offboards it now! :)

 

Thanks

Neil

Highlighted

@neilcarden Anything changed on this front?  Seems a massive oversite to not have a delete / purge entries option from the Portal itself.  It's pretty obvious there are going to be scenarios where you can't gracefully "offboard" a device.  Duplicates, Stolen, Damaged, Lost, wiped and reloaded etc.. etc...

 

Kate's method sounds like a server side offboard push which is obviously not much use for any of the above scenarios.

 

Where is the Data Retention period settings?  There's one generic one that's set to 180 days for all data is that it?

Highlighted

@neilcarden, Is there any time period after device is retired or wiped that actually automatically is deleted from Defender ATP or it has to be done manually?

Regards,

Davor

Highlighted

@Davor_Dmitric @MattoNZ 

 

Hi the retention period is set in the Settings>General>Data Retention> Data Retention section.

 

I have this set to 180 days, however on my device inventory view I have this set to 30 days. So I don't see those devices that are no longer in use after 30 days.

 

I agree it would be nice to actually remove those devices especially as most of mine are ones that have been renamed to the correct naming convention.