Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

POC for offboarding Defender for endpoint

Copper Contributor

Hello All, 

 

we have devices managed by Intune but had 3rd party antivirus solution . Now we are migrating to defender for endpoint as primary antivirus solution.

 

deployment/onboard-

we have used onboarding for defender though Intune, configuration policy is created and assigned to a onboarding security group.

 

so Ideally what would be the case for offboarding.

 

solution1 -

1-Remove the device from onboarding security group

2-assign offboarding package for win 10 & 11 by creating custom config policy on Intune

Ideal case device should be offboarded and no services running relating to defender

 

solution2-

1-Remove the device from onboarding security group

2-run the local script on the machine to be offboarded through cmd, though Intune was used to onboard the defender for endpoint

 

query-

1- will there be any conflicts if we choose Intune for onboarding and local script for offboarding

{reason been the package gets expired after 1 month, so each time offboarding configuration file needs to be updated upon each expiration, so in this case local script can be helpful to be used only on need basis}

 

2- onboarding methods and offboarding methods should be same only and cannot be different

 

please help as limited information is available related to this scenario

1 Reply
best response confirmed by SamP_1993 (Copper Contributor)
Solution

I have talked to MDE support about this, and the answer will be that onboarding and offboarding needs (or should) be done by the same method.
So, if the device has been onboarded with Intune, it should be offboarded with Intune.

Offboarding with the local script might work (I think it has worked for us in a couple of client deployments), but success will not be guaranteed by support, and they will tell you to use same method you used to onboard.

 

As for the offboard package expiring bit though, if you have integrated Intune and MDE, my understanding is that Intune should be fetching the blob info through the integration so you will not have to keep the offboarding package updated manually.

(at least this is what I got from reading the documentation)

https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure

Quote:
"The preceding screen capture shows your configuration options after you’ve configured a connection between Intune and Microsoft Defender for Endpoint. When connected, the details for the onboarding and offboarding blobs are automatically generated and transferred to Intune."

1 best response

Accepted Solutions
best response confirmed by SamP_1993 (Copper Contributor)
Solution

I have talked to MDE support about this, and the answer will be that onboarding and offboarding needs (or should) be done by the same method.
So, if the device has been onboarded with Intune, it should be offboarded with Intune.

Offboarding with the local script might work (I think it has worked for us in a couple of client deployments), but success will not be guaranteed by support, and they will tell you to use same method you used to onboard.

 

As for the offboard package expiring bit though, if you have integrated Intune and MDE, my understanding is that Intune should be fetching the blob info through the integration so you will not have to keep the offboarding package updated manually.

(at least this is what I got from reading the documentation)

https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure

Quote:
"The preceding screen capture shows your configuration options after you’ve configured a connection between Intune and Microsoft Defender for Endpoint. When connected, the details for the onboarding and offboarding blobs are automatically generated and transferred to Intune."

View solution in original post