How to remove MDE managed devices in MEM?

Brass Contributor



I had two windows server VMs with MDE(Microsoft Defender for Endpoint) onboarded.

For test purpose, I turned on the security settings management in MDE to let MEM deploy some security policies to them.


It worked fine.

I got corresponding device entries in AAD and MEM and was able to manage the VMs like other Intune managed devices.


After I deleted the VMs, I found the device entries are somehow lingering.

For MDE, I knew there is a data retention time which is 30 days in my case.

I waited for a month and the VMs do disappear from MDE.

But I can still see them in AAD and MEM till now.

I can't do anything to them in MEM, while I can temporarily delete them in AAD and see them respawn next day.





According to the doc, there is a way to solve this problem, but I can't see how.

Use Intune to manage Microsoft Defender for Endpoint Security on devices not enrolled with Microsoft...



Does anyone know what "be removed from the scope of Configuration Management in the Security Center" means and how to perform it?


Thanks for reading this post.

2 Replies
As I worked with the service team, I found that the VMs DID NOT disappear from MDE.
It seems that the data retention setting is not working.
30 days means 180 days as I saw.
best response confirmed by Alber (Brass Contributor)
OK my case is closed.
For short, the data retention setting is for the information INSIDE the device entry ONLY.
The empty device entry itself will remain less than 180 days.

So how to remove MDE managed devices in MEM?
Ans: Wait 180 days, they will be deleted in MDE then also in MEM.

I cannot confirm the answer is right, but I think it is.