Offboard a device

%3CLINGO-SUB%20id%3D%22lingo-sub-2245110%22%20slang%3D%22en-US%22%3EOffboard%20a%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2245110%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20somehow%20obtain%20from%20the%20endpoint%20itself%20the%20information%20to%20which%20MDE%20tenant%20it%20was%20onboarded%20to%3F%20And%20additionally%2C%20if%20the%20MDE%20tenant%20no%20longer%20exists%20or%20the%20device%20was%20part%20of%20the%20PoC%20and%20remained%20onboarded%20to%20the%20test%2Fdemo%20MDE%20tenant%2C%20can%20it%20be%20off-boarded%20or%20at%20least%20re-onboarded%20to%20a%20different%20tenant%20without%20first%20offboarding%20it%20using%20the%20official%20offboard%20script%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3EJan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2246419%22%20slang%3D%22en-US%22%3ERe%3A%20Offboard%20a%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2246419%22%20slang%3D%22en-US%22%3EContact%20the%20Microsoft%20Support.%20They%20will%20get%20some%20logs%20from%20you%20and%20will%20provide%20you%20an%20offboarding%20script.%3CBR%20%2F%3EI%20had%20a%20customer%20with%20the%20same%20issue%2C%20because%20he%20tested%20Defender%20ATP%20with%20a%20demotenant%20and%20the%20devices%20could%20not%20be%20offboarded%20and%20the%20demotenant%20was%20already%20deleted.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2268968%22%20slang%3D%22en-US%22%3ERe%3A%20Offboard%20a%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2268968%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F717318%22%20target%3D%22_blank%22%3E%40jcescut%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3ETo%20answer%20your%20first%20question%2C%20you%20would%20need%20to%20query%20the%20following%20registry%20key%20using%20a%20tool%20such%20as%20SCCM's%20CMPivot%20to%20query%20the%20registry%20string%20value%20%22OnboardedInfo%22%20(image%20below).%20This%20will%20show%20the%20OrgID.%26nbsp%3B%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EFor%20offboarding%2C%20as%20noted%20above%20--%20If%20you%20don%E2%80%99t%20have%20an%20offboarding%20package%20then%20you%20will%20need%20to%20open%20a%20Microsoft%20CSS%20Security%20-MDE%20support%20case%20to%20get%20it.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi!

 

Is it possible to somehow obtain from the endpoint itself the information to which MDE tenant it was onboarded to? And additionally, if the MDE tenant no longer exists or the device was part of the PoC and remained onboarded to the test/demo MDE tenant, can it be off-boarded or at least re-onboarded to a different tenant without first offboarding it using the official offboard script?

 

Kind regards,

Jan

 

 

 

2 Replies
Contact the Microsoft Support. They will get some logs from you and will provide you an offboarding script.
I had a customer with the same issue, because he tested Defender ATP with a demotenant and the devices could not be offboarded and the demotenant was already deleted.

@jcescut 

To answer your first question, you would need to query the following registry key using a tool such as SCCM's CMPivot to query the registry string value "OnboardedInfo" (image below). This will show the OrgID. For offboarding, as noted above -- If you don’t have an offboarding package then you will need to open a Microsoft CSS Security -MDE support case to get it.