Jul 24 2023 03:53 AM
Hello I would like to know if there is a way to exclude defender for endpoint protection from a pc from a couple of hours.
Kind regards
Jul 24 2023 04:05 AM
@pozlu0 hi yes you can exclude as much as you want, from the devices blade choose the device , click on it , and click on exclude, once you're done you can activate it again
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
Jul 24 2023 04:56 AM
Jul 24 2023 04:58 AM
SolutionJul 24 2023 05:38 AM
Jul 24 2023 05:46 AM
Jul 24 2023 05:46 AM - edited Jul 24 2023 05:49 AM
@pozlu0 you could create a new Alert Tuning Rule to auto-resolve/ hide alerts for this device. The condition would look like in the screenshot. After you are done you only need to remove this rule. For sure this only helps in case you want to exclude from MDE Alerting. Otherwise @jbmartin6 described the approaches you could take.
Jul 24 2023 06:13 AM
@pozlu0 if you want to offboard your machine completely from MDE and you don't have access to this machine, you can offboard it is using the API explorer blade from MDE.
Enter the following URL in the API Explorer
https://api-eu.securitycenter.windows.com/api/machines/{Device id}/offboard
Change in the dropdown menu GET to POST.
Add the following code to the API Explorer
{ "Comment": "Offboard device by Security Admin via EndpointCave KB item" }
Click on Run Query
The API will returns with a Status 200 response, this means that the POST action have been successfully performed and the next time when the device become available/online, Defender for Endpoint will offboard the device automatically without notification or approval
Jul 26 2023 01:53 AM
Jul 24 2023 04:58 AM
Solution