Hands-On Offboarding for MDE (Linux)

Comprehensive guide to Linux Local MDE offboarding: executing the necessary commands to stop Agent functionality and validate that the Agent processes are no longer present on the machine.

Offboarding Linux Device from MDE Monitoring

  1. On the desired Linux Device that you wish to Offboard, access the Activities tab and within the search field provide Terminal, this should return the utility in the list below the field, and we will want to select it to leverage the necessary commands to remove the MDE agent from the machine. For this demonstration we are using Ubuntu 20.04 Jamming Jellyfish, if the UI or functionality is different depending on your flavor of Linux, please leverage the utility based on your distribution that allows you to search for other applications to initiate a Command Line session on the device.
  2. Once the CLI session is started, we will execute the command below to initiate the decommissioning of the MDE agent on the machine and severe the connection between the device and Microsoft Defender services. We will need to execute this command with administrative privileges, you will need to fulfill the authentication prompt that is generated in the session. Additionally, during execution, you will need to consent to the removal of the mdatp package by supplying Y.

    Command

    sudo apt-get purge mdatp


  3. After execution of the offboarding command above, there is a warning during execution that residual packages which were automatically installed during onboarded will need to be removed separately, we can achieve this by supplying the command below to clean up additional resources that were installed. We will need to execute this command with administrative privileges, you will need to fulfill the authentication prompt that is generated in the session. Additionally, during execution, you will need to consent to the removal of the mdatp package by supplying Y.

    Command

    sudo apt autoremove


  4. After the execution of both commands above, we will proceed with supplying the following one-liner to evaluate if the MDE agent still has proper security functionality enabled for communication to your Organizations Microsoft Defender portal.

    One-Liner

    echo -e "Org ID: $(mdatp health --field org_id)\nHealthy: $(mdatp health --field healthy)\nDefinitions: $(mdatp health --field definitions_status)\nRTP Enabled: $(mdatp health --field real_time_protection_enabled)"

  5. Upon execution of the script, you will see values returned in the window below.
  6. Depending on the results there will be two different paths forward:
    1. If the one-liner returns that the mdatp application is no longer found on the machine, the agent is no longer on the machine and the MDE offboarding process was successful. Next steps will be to access the defender portal and exclude the device manually from the system once the offboarding verification process has been executed successfully, this procedure can be found here.

    2. If the one-liner returns fields that possess values related to the agent being active and connected to an organization, that means that the MDE agent has not been successfully removed and the machine is still currently being monitored by the MDE agent. This could be due to the steps outlined above not being conducted correctly, or the offboarding package gathered from the Defender portal having reached its expiration period. Next steps will require that an investigation of process breakdown be conducted prior to attempting a re-execution of the procedure.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.