Forum Discussion
Solved
Exlude a Computer for some hour from defender from endpoint
Hello I would like to know if there is a way to exclude defender for endpoint protection from a pc from a couple of hours.
Kind regards
- You can set the device to troubleshooting mode, this doesn't turn off any protections but it will allow local admin to turn them off. Or, you could offboard the device using the API and then onboard it again when you are finished.
- Thank you jbmartin6 and eliekarkafy.
I will try to set the device to troubleshooting mode.
Thanks again for your valuable help pozlu0 if you want to offboard your machine completely from MDE and you don't have access to this machine, you can offboard it is using the API explorer blade from MDE.
Enter the following URL in the API Explorer
https://api-eu.securitycenter.windows.com/api/machines/{Device id}/offboardChange in the dropdown menu GET to POST.
Add the following code to the API Explorer
{ "Comment": "Offboard device by Security Admin via EndpointCave KB item" }Click on Run Query
The API will returns with a Status 200 response, this means that the POST action have been successfully performed and the next time when the device become available/online, Defender for Endpoint will offboard the device automatically without notification or approval
pozlu0 you could create a new Alert Tuning Rule to auto-resolve/ hide alerts for this device. The condition would look like in the screenshot. After you are done you only need to remove this rule. For sure this only helps in case you want to exclude from MDE Alerting. Otherwise jbmartin6 described the approaches you could take.
- You can set the device to troubleshooting mode, this doesn't turn off any protections but it will allow local admin to turn them off. Or, you could offboard the device using the API and then onboard it again when you are finished.
pozlu0 hi yes you can exclude as much as you want, from the devices blade choose the device , click on it , and click on exclude, once you're done you can activate it again
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
- This is not what 'Exclude' does in MDE. The function mainly centers around vulnerability management. See here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exclude-devices
- I know this but the only excluding in MDE is that option that cover the vulnerability management and reports, because offboarding a device from MDE is not an excluding 🙂 it is removing the device completely from MDE and that's not his case.
