Skip to main content

Offboarding Microsoft Defender Endpoint

Permanently deleted user

Offboard devices using Group Policy:

  1. Get the offboarding package from the Microsoft 365 Defender portal:

    1. In the navigation pane, select Settings > Endpoints > Device management > Offboarding.

    2. Select the operating system.

    3. In the Deployment method field, select Group policy.

    4. Click Download package and save the .zip file.

  2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.

  3. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit.

  4. In the Group Policy Management Editor, go to Computer configuration, then Preferences, and then Control panel settings.

  5. Right-click Scheduled tasks, point to New, and then click Immediate task.

  6. In the Task window that opens, go to the General tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under Security options.

  7. Select Run whether user is logged on or not and check the Run with highest privileges check-box.

  8. In the Name field, type an appropriate name for the scheduled task (for example, Defender for Endpoint Deployment).

  9. Go to the Actions tab and select New.... Ensure that Start a program is selected in the Action field. Enter the UNC path, using the file server's fully qualified domain name (FQDN), of the shared WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd file.

  10. Select OK and close any open GPMC windows.

Offboard devices using System Center 2012 R2 Configuration Manager

  1. Get the offboarding package from Microsoft 365 Defender portal:

    1. In the navigation pane, select Settings > Endpoints > Device management > Offboarding.
    2. Select Windows 10 or Windows 11 as the operating system.
    3. In the Deployment method field, select System Center Configuration Manager 2012/2012 R2/1511/1602.
    4. Select Download package, and save the .zip file.

  2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.

  3. Deploy the package by following the steps in the Packages and Programs in System Center 2012 R2 Configuration Manager article.

Offboard and monitor devices using Mobile Device Management tools

  1. Get the offboarding package from Microsoft 365 Defender portal:

    1. In the navigation pane, select Settings > Endpoints > Device management > Offboarding.

    2. Select Windows 10 or Windows 11 as the operating system.

    3. In the Deployment method field, select Mobile Device Management / Microsoft Intune.

    4. Click Download package, and save the .zip file.

  2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding.

  3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.

    • OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
    • Date type: String
    • Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]

Offboard devices using a local script

  1. Get the offboarding package from Microsoft 365 Defender portal:

    1. In the navigation pane, select Settings > Endpoints > Device management > Offboarding.
    2. Select Windows 10 or Windows 11 as the operating system.
    3. In the Deployment method field, select Local Script.
    4. Click Download package and save the .zip file.

  2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.

  3. Open an elevated command-line prompt on the device and run the script:

    1. Go to Start and type cmd.

    2. Right-click Command prompt and select Run as administrator.

      Window Start menu pointing to Run as administrator.

  4. Type the location of the script file. If you copied the file to the desktop, type: %userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd

  5. Press the Enter key or click OK.

Offboard Windows servers

You can offboard Windows Server 2012 R2, Windows Server 2016, Windows Server (SAC), Windows Server 2019, Windows Server 2019 Core edition in the same method available for Windows 10 client devices.

For other Windows server versions, you have two options to offboard Windows servers from the service:

  • Uninstall the MMA agent
  • Remove the Defender for Endpoint workspace configuration

Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.

 

Source URL: Click here

Related articles

Comments

0 comments

Please sign in to leave a comment.