SOLVED

Exlude a Computer for some hour from defender from endpoint

Copper Contributor

Hello I would like to know if there is a way to exclude defender for endpoint protection  from a  pc from a couple of hours.

Kind regards

8 Replies

@pozlu0 hi yes you can exclude as much as you want, from the devices blade choose the device , click on it , and click on exclude, once you're done you can activate it again 

 

Capture.PNG

 

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

This is not what 'Exclude' does in MDE. The function mainly centers around vulnerability management. See here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exclude-devices
best response confirmed by pozlu0 (Copper Contributor)
Solution
You can set the device to troubleshooting mode, this doesn't turn off any protections but it will allow local admin to turn them off. Or, you could offboard the device using the API and then onboard it again when you are finished.
I know this but the only excluding in MDE is that option that cover the vulnerability management and reports, because offboarding a device from MDE is not an excluding :) it is removing the device completely from MDE and that's not his case.
Yes, the poster did not specify exactly what they meant by 'exclude'. But, questions about exclusions always involve excluding from security protections, not excluding from vulnerability management reports. At best you should have clarified this limitation instead of potentially wasting the poster's time and the time of anyone else who winds up here looking to answer the same question.

@pozlu0  you could create a new Alert Tuning Rule to auto-resolve/ hide alerts for this device. The condition would look like in the screenshot. After you are done you only need to remove this rule. For sure this only helps in case you want to exclude from MDE Alerting. Otherwise @jbmartin6 described the approaches you could take.

Screenshot 2023-07-24 130444.png

@pozlu0 if you want to offboard your machine completely from MDE and you don't have access to this machine, you can offboard it is using the API explorer blade from MDE.

 

Partners-and-APIs.png

Enter the following URL in the API Explorer

https://api-eu.securitycenter.windows.com/api/machines/{Device id}/offboard

Change in the dropdown menu GET to POST.

Add the following code to the API Explorer

{
  "Comment": "Offboard device by Security Admin via EndpointCave KB item"
}

 

API-1030x286.png

 

Click on Run Query

 

Post-API-call-1030x320.png

 

The API will returns with a Status 200 response, this means that the POST action have been successfully performed and the next time when the device become available/online, Defender for Endpoint will offboard the device automatically without notification or approval

Thank you jbmartin6 and eliekarkafy.
I will try to set the device to troubleshooting mode.

Thanks again for your valuable help
1 best response

Accepted Solutions
best response confirmed by pozlu0 (Copper Contributor)
Solution
You can set the device to troubleshooting mode, this doesn't turn off any protections but it will allow local admin to turn them off. Or, you could offboard the device using the API and then onboard it again when you are finished.

View solution in original post