cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Remove devices from MDATP portal

neilcarden
Brass Contributor

‎May 21 2020 01:25 AM

‎May 21 2020 01:25 AM

Remove devices from MDATP portal

We have a couple of devices that are showing in MDATP which we would like to get rid of, however we are not in a position to run any scripts...

One was registered in InTune by mistake and has been unregistered, and we cannot contact the owner anymore - and its still checking in.

One device failed and was rebuilt with the same name but is now showing twice.

 

Can we remove these?

Neil

111K Views
0 Likes
28 Replies
Reply
28 Replies
rockypabillore

‎Sep 16 2021 10:38 AM

‎Sep 16 2021 10:38 AM

Re: Remove devices from MDATP portal

this does not scale very well when you have 50-100 devices being deprovisioned or disowned.. We do not offboard them as part of the deprovisioning.. There has to be a better way.
0 Likes
Reply
aatishsharma64

‎Oct 02 2021 03:43 AM - edited ‎Oct 02 2021 03:44 AM

‎Oct 02 2021 03:43 AM - edited ‎Oct 02 2021 03:44 AM

Re: Remove devices from MDATP portal

Has it worked for anyone?
1. Copy the machine you want to offboard in the machine list and obtain the machine ID from the URL (…/machines/<machine ID>)
2. Navigate to API explorer (Left pane in ATP > Partners & APIs > API explorer)
3. Change first drop-down to "POST"
4. Paste this URL (https://api.securitycenter.windows.com/api/machines/{machine-id}/offboard)
5. Enter machine ID in the URL (keep the entire URL, just replace <MachineID>)
6. Run query (This will force machine to run the offboarding script next time the machine checks in.)
7. Include this comment (remove the first and last quotations):

"{

"Comment": "Offboard machine by automation"

}"

8. Repeat 1-6 for each machine you'd like to remove

0 Likes
Reply
iamdmitriev

‎Oct 26 2021 08:59 AM - edited ‎Oct 27 2021 01:59 AM

‎Oct 26 2021 08:59 AM - edited ‎Oct 27 2021 01:59 AM

Re: Remove devices from MDATP portal

@aatishsharma64 

Yes, it is working for "Windows 10, version 1703 and later, or Windows Server 2019 and later."

For all Oses, which onboarding to WD ATP via script, not via MMA.

But they disappear after next query to the devices.

0 Likes
Reply
Jonhed

‎Oct 26 2021 11:32 PM

‎Oct 26 2021 11:32 PM

Re: Remove devices from MDATP portal

Leaving the "I want to delete the actual data entries to clean up" argument aside, there is actually no need to offboard the orphaned devices. (at least if nothing has changed during the last 9 months)

When talking to the MDE support, I was told the orphaned entries will be removed regardless of the "onboard/offboard" status, after the device has been inactive long enough.
Long enough meaning the span of the data retention period.

The offboard action is only really "required" when the device itself needs to detach itself from MDE, say during troubleshooting or when you want to stop using MDE.
(This is a summary of my talk with MDE support somewhere around February or so)
0 Likes
Reply
iamdmitriev

‎Oct 27 2021 01:58 AM

‎Oct 27 2021 01:58 AM

Re: Remove devices from MDATP portal

Partially disagree you. It is not a good idea to wait auto deletion of obsolete devices, because they appear in reports, dashboards, analytics till their removing.

I am still looking for solution for removing Server 2012-2016 and Mac devices from portal.
0 Likes
Reply
Jonhed

‎Oct 27 2021 05:08 PM

‎Oct 27 2021 05:08 PM

Re: Remove devices from MDATP portal

@iamdmitriev 

Devices remain in the device inventory even if they are offboarded though, do they not?

Do you mean that devices that have been offboarded will not be included in reports?

0 Likes
Reply
Saravanan02B

‎Jan 18 2022 11:37 AM

‎Jan 18 2022 11:37 AM

Re: Remove devices from MDATP portal

@KateAWin getting error like this 

syntax is correct  https://api.securitycenter.microsoft.com/api/machines/ba8499873cb3a3ab58b05753b938149945c58ddf/offbo... please check the screenshot and target value on the error keeps changing whenever i click run query

Saravanan02B_1-1642534607567.png

 

 

0 Likes
Reply
George Simos

‎Apr 03 2023 04:21 AM

‎Apr 03 2023 04:21 AM

Re: Remove devices from MDATP portal

That's very good to know, however it requires that the device is online and the offboarding can kick in. If the device is not online (e.g. decommissioned), then I guess we have to wait until it gets removed after the retention period expires for it right?
0 Likes
Reply
Groove200

‎Apr 19 2023 06:37 AM

‎Apr 19 2023 06:37 AM

Re: Remove devices from MDATP portal

Correct. It will tidy itself up when retention expires.

I initially questioned this as I like things clean, however when the reason was explained, ie if there is a mechanism to manually remove stuff from Defender, then there is an attack surface that can leverage that mechanism and that would be bad times. Id rather have it this way than some bad actor removing everything ;)
0 Likes
Reply