SOLVED

Remove devices from MDATP portal

%3CLINGO-SUB%20id%3D%22lingo-sub-1407884%22%20slang%3D%22en-US%22%3ERemove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407884%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20couple%20of%20devices%20that%20are%20showing%20in%20MDATP%20which%20we%20would%20like%20to%20get%20rid%20of%2C%20however%20we%20are%20not%20in%20a%20position%20to%20run%20any%20scripts...%3C%2FP%3E%3CP%3EOne%20was%20registered%20in%20InTune%20by%20mistake%20and%20has%20been%20unregistered%2C%20and%20we%20cannot%20contact%20the%20owner%20anymore%20-%20and%20its%20still%20checking%20in.%3C%2FP%3E%3CP%3EOne%20device%20failed%20and%20was%20rebuilt%20with%20the%20same%20name%20but%20is%20now%20showing%20twice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20we%20remove%20these%3F%3C%2FP%3E%3CP%3ENeil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407983%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407983%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BThe%20only%20option%20is%20to%20get%20the%20offboarding%20script%20and%20run%20that%20on%20the%20computer%20you%20want%20to%20offboard.%20I%20had%20this%20situation%20when%20I%20was%20evaluating%20MDATP%2C%20which%20was%20on%20a%20different%20portal%20and%20lost%20access%20to%20the%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20existing%20device%2C%20if%20you%20haven't%20off%20boarded%20it%20using%20the%20script%2C%20you%20will%20see%20two%20machines%20but%20after%20some%20time%20the%20old%20machine%20will%20be%20shown%20as%20inactive%20and%20then%20as%20per%20the%20retention%20period%20you%20set%20on%20the%20portal%2C%20the%20device%20will%20be%20removed.%20What%20I%20usually%20do%20in%20this%20case%20is%20tag%20the%20old%20computer%20and%20this%20way%20I%20can%20easily%20identify%20the%20old%20machine%20name.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1408065%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1408065%22%20slang%3D%22en-US%22%3E%3CP%3EAh%20yes%20OK%2C%20makes%20sense%2C%20the%20old%20device%20is%20showing%20as%20inactive.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20apart%20from%20running%20the%20offboarding%20script%20on%20the%20other%20device%20that%20is%20now%20unregistered%2C%20that%20will%20never%20drop%20off%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1408089%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1408089%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BIf%20the%20machine%20is%20not%20communicating%20the%20MDATP%20portal%2C%20after%20few%20days%20it%20will%20be%20set%20as%20inactive%20and%20based%20on%20the%20retention%20you%20set%2C%20will%20then%20be%20removed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20created%20a%20video%20where%20I%20explained%20this%20and%20the%20retention%20period%2C%20you%20can%20check%20there%20as%20well%2C%20but%20it%20talks%20more%20about%20the%20new%20endpoint%20manager%20portal.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DaHhjQKtbS98%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DaHhjQKtbS98%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413908%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413908%22%20slang%3D%22en-US%22%3EThe%20ability%20to%20manually%20remove%20machines%20would%20be%20a%20welcomed%20feature.%20I%E2%80%99m%20in%20the%20process%20of%20rolling%20WDATP%20out%20via%20Azure%20Security%20Center%20and%20have%20multiple%20duplicate%20machine%20entries%20as%20a%20result%20of%20some%20reconfiguration%20work%20that%20we%E2%80%99re%20doing%20on%20the%20servers.%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20be%20handy%20to%20be%20able%20to%20manually%20delete%20the%20orphaned%20entries.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415925%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415925%22%20slang%3D%22en-US%22%3EYou%20could%20offboard%20the%20device%20through%20the%20API%2C%20this%20is%20one%20way%20of%20removing%20it%20without%20running%20the%20script%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Foffboard-machine-api%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Foffboard-machine-api%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418750%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418750%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20ran%20into%20this%20issue%20previously%20and%20found%20a%20great%20fix%20that%20doesn't%20involve%20contacting%20the%20users%20or%20even%20having%20physical%20access%20to%20their%20machine.%20Please%20follow%20these%20steps%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3E%3CSPAN%3ECopy%20the%20machine%20you%20want%20to%20offboard%20in%20the%20machine%20list%20and%20obtain%20the%20machine%20ID%20from%20the%20URL%20(%E2%80%A6%2Fmachines%2F%3CMACHINE%20id%3D%22%22%3E)%3C%2FMACHINE%3E%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ENavigate%20to%20API%20explorer%20(Left%20pane%20in%20ATP%20%26gt%3B%20Partners%20%26amp%3B%20APIs%20%26gt%3B%20API%20explorer)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EChange%20first%20drop-down%20to%20%22POST%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EPaste%20this%20URL%20(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fapi.securitycenter.windows.com%2Fapi%2Fmachines%2F%257bmachine-id%257d%2Foffboard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%3Ehttps%3A%2F%2Fapi.securitycenter.windows.com%2Fapi%2Fmachines%2F%7Bmachine-id%7D%2Foffboard%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EEnter%20machine%20ID%20in%20the%20URL%20(keep%20the%20entire%20URL%2C%20just%20replace%20%3CMACHINEID%3E)%3C%2FMACHINEID%3E%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ERun%20query%20(This%20will%20force%20machine%20to%20run%20the%20offboarding%20script%20next%20time%20the%20machine%20checks%20in.)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EInclude%20this%20comment%20(remove%20the%20first%20and%20last%20quotations)%3A%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%22%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%22Comment%22%3A%20%22Offboard%20machine%20by%20automation%22%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%7D%22%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B8.%20Repeat%201-6%20for%20each%20machine%20you'd%20like%20to%20remove%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHope%20that%20helps!%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EKate%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418837%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418837%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680251%22%20target%3D%22_blank%22%3E%40KateAWin%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20response...%20I%20have%20tried%20this%20on%20two%20machines...%20and%20get%20the%20following%20error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22error%22%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22code%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22InvalidRequestBody%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22message%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22Request%20body%20is%20incorrect%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22target%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22a66d6701-05de-45ea-xxxx-439235eec2cf%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EGoogle%20search%20doesn't%20return%20much%20in%20way%20of%20help%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1420578%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1420578%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BIn%20order%20to%20post%20the%20HTML%20on%20this%20web%20page%2C%20I%20had%20to%20include%20quotation%20marks%20before%20and%20after%20the%20brackets%3A%20%22%7B%7D%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERemove%20only%20those%20two%20quotation%20marks%2C%20but%20keep%20the%20rest%20of%20the%20code.%20Also%2C%20you%20can%20give%20it%20a%20try%20without%20entering%20anything%20in%20the%20body.%20I%20would%20assuming%20the%20comment%20is%20optional%2C%20though%20I've%20never%20tried%20it%20myself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EKate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426887%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426887%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680251%22%20target%3D%22_blank%22%3E%40KateAWin%3C%2FA%3E%26nbsp%3BThanks%20again%20for%20responding%20however%20I%20am%20a%20bit%20confused.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20am%20running%20this%20query%20(not%20real%20machine%20id)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapi.securitycenter.windows.com%2Fapi%2Fmachines%2Faaf8969262fd9031978bf7955b102547d22ff302%2Foffboard%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapi.securitycenter.windows.com%2Fapi%2Fmachines%2Faaf12345677955b102547d22ff302%2Foffboard%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20I%20need%20%7B%20%7D%20either%20side%20of%20the%20machine%20ID%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20where%20do%20I%20type%20the%20comments%20bit%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20attached%20a%20pic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22api.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195372i7E7B64A114E8EED1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22api.PNG%22%20alt%3D%22api.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1427841%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1427841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BSorry%20for%20the%20confusion%2C%20it's%20poorly%20labeled%20in%20ATP.%20Here%20is%20a%20screenshot%20of%20what%20it%20should%20look%20like%20before%20you%20run%20the%20query%20(it%20looks%20like%20you're%20entering%20the%20comment%20in%20the%20bottom%20%22Response%20body%22%20when%20it%20should%20be%20the%20top%20unlabeled%20input%20box)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22KateAWin_0-1590786877713.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195469i111111F25A97F4CE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22KateAWin_0-1590786877713.png%22%20alt%3D%22KateAWin_0-1590786877713.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3CBR%20%2F%3EKate%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1429675%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1429675%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680251%22%20target%3D%22_blank%22%3E%40KateAWin%3C%2FA%3E%26nbsp%3BThank%20you%20that%20worked%20a%20charm...%20well%20the%20command%20did%2C%20just%20need%20to%20see%20if%20it%20actually%20offboards%20it%20now!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ENeil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522463%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522463%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BAnything%20changed%20on%20this%20front%3F%26nbsp%3B%20Seems%20a%20massive%20oversite%20to%20not%20have%20a%20delete%20%2F%20purge%20entries%20option%20from%20the%20Portal%20itself.%26nbsp%3B%20It's%20pretty%20obvious%20there%20are%20going%20to%20be%20scenarios%20where%20you%20can't%20gracefully%20%22offboard%22%20a%20device.%26nbsp%3B%20Duplicates%2C%20Stolen%2C%20Damaged%2C%20Lost%2C%20wiped%20and%20reloaded%20etc..%20etc...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKate's%20method%20sounds%20like%20a%20server%20side%20offboard%20push%20which%20is%20obviously%20not%20much%20use%20for%20any%20of%20the%20above%20scenarios.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20is%20the%20Data%20Retention%20period%20settings%3F%26nbsp%3B%20There's%20one%20generic%20one%20that's%20set%20to%20180%20days%20for%20all%20data%20is%20that%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532855%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%2C%20Is%20there%20any%20time%20period%20after%20device%20is%20retired%20or%20wiped%20that%20actually%20automatically%20is%20deleted%20from%20Defender%20ATP%20or%20it%20has%20to%20be%20done%20manually%3F%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EDavor%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533156%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533156%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F311086%22%20target%3D%22_blank%22%3E%40Davor_Dmitric%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728768%22%20target%3D%22_blank%22%3E%40MattoNZ%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20the%20retention%20period%20is%20set%20in%20the%20Settings%26gt%3BGeneral%26gt%3BData%20Retention%26gt%3B%20Data%20Retention%20section.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20this%20set%20to%20180%20days%2C%20however%20on%20my%20device%20inventory%20view%20I%20have%20this%20set%20to%2030%20days.%20So%20I%20don't%20see%20those%20devices%20that%20are%20no%20longer%20in%20use%20after%2030%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20it%20would%20be%20nice%20to%20actually%20remove%20those%20devices%20especially%20as%20most%20of%20mine%20are%20ones%20that%20have%20been%20renamed%20to%20the%20correct%20naming%20convention.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1976406%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1976406%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680251%22%20target%3D%22_blank%22%3E%40KateAWin%3C%2FA%3E%26nbsp%3BGetting%20this%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22argie4_0-1607613387459.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F239581iD9BB782508D583DD%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22argie4_0-1607613387459.png%22%20alt%3D%22argie4_0-1607613387459.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1978547%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1978547%22%20slang%3D%22en-US%22%3EYou%20are%20using%20it%20on%20an%20unsupported%20platform.%3CBR%20%2F%3EFrom%20the%20docs%3A%3CBR%20%2F%3EThis%20API%20is%20supported%20on%20Windows%2010%2C%20version%201703%20and%20later%2C%20or%20Windows%20Server%202019%20and%20later.%20This%20API%20is%20not%20supported%20on%20MacOS%20or%20Linux%20devices.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Foffboard-machine-api%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Foffboard-machine-api%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112119%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112119%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20tried%20scripting%20this%20if%20you%20have%20multiple%20devices%20you%20want%20to%20offload%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680251%22%20target%3D%22_blank%22%3E%40KateAWin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2119139%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2119139%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20MDATP%20portal%20i%20have%20140%20inactive%20machines%20which%20are%20actually%20one%20pc%20with%20name%20conf-04%2C%20it%20have%20different%26nbsp%3BDevice%20Id%2C%20this%20140%20machines%20was%20created%20from%26nbsp%3B01.01.2021%2017%3A34%20to%26nbsp%3B10.01.2021%202%3A53%3CBR%20%2F%3Ei%20tried%20to%20use%20offboard%20via%20API%20but%20get%20error%20%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%0A%22error%22%3A%20%7B%0A%22code%22%3A%20%22ResourceNotFound%22%2C%0A%22message%22%3A%20%22Machine%20%7Bmachine%20id%7D%20was%20not%20found.%22%2C%0A%22target%22%3A%20%229ccde3bd-f5ca-4fa4-b21e-f45ab59fd6ff%22%0A%7D%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EData%20Retention%20now%2030%20days%20but%20this%20inactive%20machines%20is%20in%20list.%3C%2FP%3E%3CP%3EHow%20to%20remove%20this%20machines%3F%26nbsp%3B%20And%20how%20this%20computer%20created%20so%20much%20copies%20with%20different%20device%20id%3F%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2120000%22%20slang%3D%22en-US%22%3ERe%3A%20Remove%20devices%20from%20MDATP%20portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2120000%22%20slang%3D%22en-US%22%3EJust%20reinstalled%20OS%20on%20this%20machine%2C%20gave%20same%20name%20%2C%20and%20all%20140%20inactive%20machines%20was%20disappeared.%20Only%20one%20active%20machine%20now.%20So%20problem%20is%20solved.%3C%2FLINGO-BODY%3E
Contributor

We have a couple of devices that are showing in MDATP which we would like to get rid of, however we are not in a position to run any scripts...

One was registered in InTune by mistake and has been unregistered, and we cannot contact the owner anymore - and its still checking in.

One device failed and was rebuilt with the same name but is now showing twice.

 

Can we remove these?

Neil

25 Replies
this does not scale very well when you have 50-100 devices being deprovisioned or disowned.. We do not offboard them as part of the deprovisioning.. There has to be a better way.

Has it worked for anyone?
1. Copy the machine you want to offboard in the machine list and obtain the machine ID from the URL (…/machines/<machine ID>)
2. Navigate to API explorer (Left pane in ATP > Partners & APIs > API explorer)
3. Change first drop-down to "POST"
4. Paste this URL (https://api.securitycenter.windows.com/api/machines/{machine-id}/offboard)
5. Enter machine ID in the URL (keep the entire URL, just replace <MachineID>)
6. Run query (This will force machine to run the offboarding script next time the machine checks in.)
7. Include this comment (remove the first and last quotations):

"{

"Comment": "Offboard machine by automation"

}"

8. Repeat 1-6 for each machine you'd like to remove

@aatishsharma64 

Yes, it is working for "Windows 10, version 1703 and later, or Windows Server 2019 and later."

For all Oses, which onboarding to WD ATP via script, not via MMA.

But they disappear after next query to the devices.

Leaving the "I want to delete the actual data entries to clean up" argument aside, there is actually no need to offboard the orphaned devices. (at least if nothing has changed during the last 9 months)

When talking to the MDE support, I was told the orphaned entries will be removed regardless of the "onboard/offboard" status, after the device has been inactive long enough.
Long enough meaning the span of the data retention period.

The offboard action is only really "required" when the device itself needs to detach itself from MDE, say during troubleshooting or when you want to stop using MDE.
(This is a summary of my talk with MDE support somewhere around February or so)
Partially disagree you. It is not a good idea to wait auto deletion of obsolete devices, because they appear in reports, dashboards, analytics till their removing.

I am still looking for solution for removing Server 2012-2016 and Mac devices from portal.

@iamdmitriev 

Devices remain in the device inventory even if they are offboarded though, do they not?

Do you mean that devices that have been offboarded will not be included in reports?