Determine Defender for Endpoint offboarding state of Windows machines using PowerShell
There are certain instances when a machine or machines are offboarded that the corresponding status takes an unusual amount of time to report in the Defender portal. The status that is shown in the portal is “Can be onboarded”, however this status doesn’t clarify with absolute certainty that the machine was offboarded from the platform. The status “Can be onboarded” means that either the endpoint was offboarded from the platform or, that it is a new device discovered by the “Device Discovery” service of MDE and the platform is highlighting this for you as something to address and cover the security gap that represents an endpoint without protection. Figure 1.”Can be onboarded” status of a device. In advanced hunting in the Defender portal, there’s not a direct field that reflects if a device was offboarded but if it is onboarded that is visible using a KQL query. If a device is onboarded, this is shown in the portal, under Assets --> Device Inventory --> All devices, but not if it is offboarded. Figure 2. Onboarding status as seen in the Device Inventory view. To circumvent this existing challenge, Powershell can come to the rescue, and you can run a script that determines with a high level of confidence that a device was offboarded from the platform without the need to wait for the 7 days period it takes a device to be deemed as inactive in the console. This script can be handy in situations where offboarding is happening on devices that are experiencing communication issues or sensor issues and offboarding is the option to fix the problem and you would like to know straight away if the process was successful. In essence, the script checks an indicator in the registry and the status of the key service that is responsible for sending telemetry to the portal and a true indication that the device is onboarded in Defender for Endpoint, the Sense.exe service. The registry key: 'HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status', REG_DWORD: OnboardingState. High level execution of the script: Scans computers to determine if devices are offboarded from MDE: The script checks one or more Windows computers (locally by default, or remotely via PowerShell remoting) and infers whether the device appears OFFBOARDED from MDE by looking at: Registry onboarding indicators (OnboardingState and OnboardedInfo) The state of the SENSE service (Sense) Then it outputs: A human-readable status (ASCII only) It pipes the results to a .csv file Optionally exports CSV Fairly simple script but it allows administrators to check on the fly if a device has been offboarded from Defender for Endpoint. I wanted to keep it simple, but this script could be run from Configuration Manager or Intune to check in bulk what devices are offboarded from MDE. PowerShell scripting code: Code disclaimer: The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. NOTE: When using your scripting editing tool of choice, be aware of any additional spaces added as a result of the copy/past operation into your editing tool. <# .SUMMARY Checks if a device appears OFFBOARDED from Microsoft Defender for Endpoint (MDE). .DESCRIPTION - Reads onboarding indicators in the registry. - Checks the SENSE service state. - Outputs a simple, ASCII-only status. - Can run locally (default) or against one/many remote computers via PS Remoting. .PARAMETER ComputerName One or more computers to check. Default = local computer. .PARAMETER OutCsv Optional path to write results as CSV. .PARAMETER Quiet If set, returns $true when OFFBOARDED and $false otherwise (for local-only use). .NOTES Registry indicators are based on the typical onboarding keys used by MDE. References: - MS Learn: Offboard devices (status becomes Inactive after 7 days; data retained up to 180 days). - Author: Edgar Parra - Microsoft v1.0 #> [CmdletBinding()] param( [string[]]$ComputerName = @($env:COMPUTERNAME), [string]$OutCsv, [switch]$Quiet ) # --- inner checker that runs LOCALLY on a target (used both locally and via Invoke-Command) --- $localCheck = { $regPaths = @( 'HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status', 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\Status' ) $onboardingStates = @() foreach ($p in $regPaths) { if (Test-Path $p) { try { $val = Get-ItemPropertyValue -Path $p -Name 'OnboardingState' -ErrorAction SilentlyContinue if ($null -ne $val) { $onboardingStates += [int]$val } } catch { } } } # SENSE service check $senseStatus = try { $svc = Get-Service -Name 'Sense' -ErrorAction Stop $svc.Status.ToString() } catch { 'NotInstalled' } # Determine likely state # If any OnboardingState == 1 OR SENSE Running, treat as not offboarded $isOnboarded = ($onboardingStates -contains 1) -or ($senseStatus -eq 'Running') # Build result [PSCustomObject]@{ ComputerName = $env:COMPUTERNAME SenseService = $senseStatus OnboardingState = if ($onboardingStates.Count) { ($onboardingStates -join ',') } else { 'N/A' } AppearsOffboarded = if ($isOnboarded) { $false } else { $true } Notes = if ($isOnboarded) { 'OnboardingState==1 and/or SENSE Running' } else { 'No onboarding indicators and SENSE not running' } } } $results = @() foreach ($comp in $ComputerName) { if ($comp -ieq $env:COMPUTERNAME -or $comp -eq '.' -or $comp -eq 'localhost') { $results += & $localCheck } else { try { $res = Invoke-Command -ComputerName $comp -ScriptBlock $localCheck -ErrorAction Stop $res | ForEach-Object { $_.ComputerName = $comp } $results += $res } catch { $results += [PSCustomObject]@{ ComputerName = $comp SenseService = 'Unknown' OnboardingState = 'Unknown' AppearsOffboarded = $null Notes = "Error: $($_.Exception.Message)" } } } } # Output if ($OutCsv) { $results | Export-Csv -NoTypeInformation -Path $OutCsv -Encoding UTF8 Write-Host "Saved results to $OutCsv" } if ($ComputerName.Count -eq 1 -and $Quiet) { # local single-check boolean mode return [bool]$results[0].AppearsOffboarded } # Human-readable summary (ASCII only) $results | ForEach-Object { $status = if ($_.AppearsOffboarded -eq $true) { 'OFFBOARDED' } elseif ($_.AppearsOffboarded -eq $false) { 'ONBOARDED' } else { 'UNKNOWN' } Write-Host ('[{0}] Status: {1} | SENSE: {2} | OnboardingState: {3} | Notes: {4}' -f ` $_.ComputerName, $status, $_.SenseService, $_.OnboardingState, $_.Notes) } # Also emit objects so you can pipe to Select-Object/Where-Object if you want $results Additional information: Offboarding devices from Defender for Endpoint. Offboarding devices via API explorer. In the next publication, I will aboard how to do this same process but for devices running Linux. Stay tuned!! and thank you for reading!
