Forum Discussion
Remove devices from MDATP portal
We have a couple of devices that are showing in MDATP which we would like to get rid of, however we are not in a position to run any scripts...
One was registered in InTune by mistake and has been unregistered, and we cannot contact the owner anymore - and its still checking in.
One device failed and was rebuilt with the same name but is now showing twice.
Can we remove these?
Neil
neilcarden Sorry for the confusion, it's poorly labeled in ATP. Here is a screenshot of what it should look like before you run the query (it looks like you're entering the comment in the bottom "Response body" when it should be the top unlabeled input box):
Thank you,
Kate
Hello
I have ran into this issue previously and found a great fix that doesn't involve contacting the users or even having physical access to their machine. Please follow these steps:
- Copy the machine you want to offboard in the machine list and obtain the machine ID from the URL (…/machines/<machine ID>)
- Navigate to API explorer (Left pane in ATP > Partners & APIs > API explorer)
- Change first drop-down to "POST"
- Paste this URL (https://api.securitycenter.windows.com/api/machines/{machine-id}/offboard)
- Enter machine ID in the URL (keep the entire URL, just replace <MachineID>)
- Run query (This will force machine to run the offboarding script next time the machine checks in.)
- Include this comment (remove the first and last quotations):
"{
"Comment": "Offboard machine by automation"
}"
8. Repeat 1-6 for each machine you'd like to remove
Hope that helps!
Thanks,Kate
KateAWin Thanks for your response... I have tried this on two machines... and get the following error
{"error": {"code": "InvalidRequestBody","message": "Request body is incorrect","target": "a66d6701-05de-45ea-xxxx-439235eec2cf"}}Google search doesn't return much in way of helpneilcarden In order to post the HTML on this web page, I had to include quotation marks before and after the brackets: "{}"
Remove only those two quotation marks, but keep the rest of the code. Also, you can give it a try without entering anything in the body. I would assuming the comment is optional, though I've never tried it myself.
Thank you,
Kate
- You are using it on an unsupported platform.
From the docs:
This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later. This API is not supported on MacOS or Linux devices.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api
- That's very good to know, however it requires that the device is online and the offboarding can kick in. If the device is not online (e.g. decommissioned), then I guess we have to wait until it gets removed after the retention period expires for it right?
- Correct. It will tidy itself up when retention expires.
I initially questioned this as I like things clean, however when the reason was explained, ie if there is a mechanism to manually remove stuff from Defender, then there is an attack surface that can leverage that mechanism and that would be bad times. Id rather have it this way than some bad actor removing everything 😉
neilcarden Anything changed on this front? Seems a massive oversite to not have a delete / purge entries option from the Portal itself. It's pretty obvious there are going to be scenarios where you can't gracefully "offboard" a device. Duplicates, Stolen, Damaged, Lost, wiped and reloaded etc.. etc...
Kate's method sounds like a server side offboard push which is obviously not much use for any of the above scenarios.
Where is the Data Retention period settings? There's one generic one that's set to 180 days for all data is that it?
- You could offboard the device through the API, this is one way of removing it without running the script
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api neilcarden The only option is to get the offboarding script and run that on the computer you want to offboard. I had this situation when I was evaluating MDATP, which was on a different portal and lost access to the portal.
Regarding existing device, if you haven't off boarded it using the script, you will see two machines but after some time the old machine will be shown as inactive and then as per the retention period you set on the portal, the device will be removed. What I usually do in this case is tag the old computer and this way I can easily identify the old machine name.
Ah yes OK, makes sense, the old device is showing as inactive.
So apart from running the offboarding script on the other device that is now unregistered, that will never drop off?
Neil
neilcarden If the machine is not communicating the MDATP portal, after few days it will be set as inactive and based on the retention you set, will then be removed.
I just created a video where I explained this and the retention period, you can check there as well, but it talks more about the new endpoint manager portal. https://www.youtube.com/watch?v=aHhjQKtbS98
- this does not scale very well when you have 50-100 devices being deprovisioned or disowned.. We do not offboard them as part of the deprovisioning.. There has to be a better way.
neilcarden, Is there any time period after device is retired or wiped that actually automatically is deleted from Defender ATP or it has to be done manually?
Regards,
Davor
Hi the retention period is set in the Settings>General>Data Retention> Data Retention section.
I have this set to 180 days, however on my device inventory view I have this set to 30 days. So I don't see those devices that are no longer in use after 30 days.
I agree it would be nice to actually remove those devices especially as most of mine are ones that have been renamed to the correct naming convention.
Has it worked for anyone?
1. Copy the machine you want to offboard in the machine list and obtain the machine ID from the URL (…/machines/<machine ID>)
2. Navigate to API explorer (Left pane in ATP > Partners & APIs > API explorer)
3. Change first drop-down to "POST"
4. Paste this URL (https://api.securitycenter.windows.com/api/machines/{machine-id}/offboard)
5. Enter machine ID in the URL (keep the entire URL, just replace <MachineID>)
6. Run query (This will force machine to run the offboarding script next time the machine checks in.)
7. Include this comment (remove the first and last quotations):
"{
"Comment": "Offboard machine by automation"
}"
8. Repeat 1-6 for each machine you'd like to removeYes, it is working for "Windows 10, version 1703 and later, or Windows Server 2019 and later."
For all Oses, which onboarding to WD ATP via script, not via MMA.
But they disappear after next query to the devices.
- Leaving the "I want to delete the actual data entries to clean up" argument aside, there is actually no need to offboard the orphaned devices. (at least if nothing has changed during the last 9 months)
When talking to the MDE support, I was told the orphaned entries will be removed regardless of the "onboard/offboard" status, after the device has been inactive long enough.
Long enough meaning the span of the data retention period.
The offboard action is only really "required" when the device itself needs to detach itself from MDE, say during troubleshooting or when you want to stop using MDE.
(This is a summary of my talk with MDE support somewhere around February or so)
