Skip to main content

How to offboard a device from M365 Defender

Syed Ammar Hussaini
  • Updated

Scenario:

You want to offboard a device from M365 Defender.

 

Steps:

 

Offboard devices using a local script

For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.

Note: Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.

  1. Get the offboarding package from Microsoft 365 Defender portal:

    1. In the navigation pane, select Settings > Endpoints > Device management > Offboarding.
    2. Select Windows 10 or Windows 11 as the operating system.
    3. In the Deployment method field, select Local Script.
    4. Click Download package and save the .zip file.

  2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.

  3. Open an elevated command-line prompt on the device and run the script:

    1. Go to Start and type cmd.

    2. Right-click Command prompt and select Run as administrator.

      The Windows Start menu pointing to the Run as administrator option

  4. Type the location of the script file. If you copied the file to the desktop, type: %userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd

  5. Press the Enter key or click OK.

Important: Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.

Related articles

Comments

0 comments

Please sign in to leave a comment.