Comprehensive guide to Windows Local MDE offboarding: retrieving the MDE offboarding package from the Defender portal, executing the embedded scripts to stop Agent functionality, and validating that the Agent processes are no longer present.
Gather Windows MDE Local Offboarding Package
- Navigate to the Endpoint Offboarding – Microsoft Defender portal, from this page specify the Operating System as Windows 10 and 11, Deployment Method as Group Policy.
- Once the proper selections have been made, locate, and select Download Package. A disclaimer will be displayed upon selection, we will want to consent for this action by selecting Download. This should initiate a WindowsDefenderATPOffboardingPackage_valid_until_YYYY-MM-DD.zip folder install that will be stored to the Downloads folder on the User account.
- We will need to extract the contents of the package, the extracted .zip folder should house a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.
- After the extraction process has been completed, we will want to relocate the .cmd file to a location where the file can be accessed by the desired Windows machines that are wishing to offboard from MDE monitoring, this can be done by uploading the file to a trusted SharePoint, Outlook email, or USB.
Deploy Windows MDE Local Offboarding Package
- On the desired Windows Device, we will first want to verify that the WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd file is housed on a desired directory on the machine.
- Once we have verified that the .cmd file is present on the device, we will want to initiate an elevated command line session. This can be done by leveraging the Windows Search functionality and within the search field providing Command Prompt, select the Run as Administrator option to initiate an elevated CMD.
- After the elevated CMD session has been initiated, we will want to access the file directory where the .cmd file is currently housed, once inside the directory locate, and right click the file from the file explorer session and select the Copy as Path option.
- Once the file path has been copied, we will return to the elevated CMD session and paste in the copied file path, hit enter to initiate the execution of the script.
Assessing a Windows MDE Local Offboarding Deployment
- Utilizing the Windows Search functionality, provide Windows PowerShell ISE within the search field, select the Run as Administrator option to initiate an elevated ISE session.
- Once the session is initiated, supply the following script to evaluate if the MDE agent still has proper security functionality enabled for communication to your Organizations Microsoft Defender portal.
PowerShell Script
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"
$registryValueName = "OnboardingInfo"
function Check-RegistryValue {
if (Test-Path $registryPath) {
if (Get-ItemProperty -Path $registryPath -Name $registryValueName -ErrorAction Ignore) {
if (Get-ItemPropertyValue -Path $registryPath -Name $registryValueName -ErrorAction Ignore) {
Write-Host "The registry value exists."
return $true
}
}
else {
Write-Warning "The registry value name does not exist."
return $false
}
}
else {
Write-Warning "The path to this value does not exist."
return $false
}
}
function Check-ATPProcess {
$WindowsDefenderATPExecutable = Get-Process -Name MsSense -ErrorAction SilentlyContinue
if ($WindowsDefenderATPExecutable -eq $Null) {
Write-Warning "Process is not running"
return $false
}
else {
Write-Host "Process is running"
return $true
}
}
$registryCheck = Check-RegistryValue
$processCheck = Check-ATPProcess
if ($registryCheck -and $processCheck) {
Write-Host "Both checks passed."
exit 0
}
else {
Write-Warning "One or both checks failed."
exit 1
}
- From the elevated ISE session, we will copy and paste the text from the table above into the text section of the Untitled1.ps1 file.
- Once the contents have been successfully migrated, you will want to save the .ps1 file somewhere locally on the machine. The ISE software requires that you save the file prior to execution.
- After the file has been saved, locate, and select the green play button to run the saved script.
- Upon execution of the script, you will see values returned in the window below.
- Depending on the results there will be two different paths forward:
- If both checks return false, the agent is no longer on the machine and the MDE offboarding process was successful. Next steps will be to access the defender portal and exclude the device manually from the system once the offboarding verification process has been executed successfully, this procedure can be found here.
- If both checks return true, that means that the MDE agent has not been successfully removed and the machine is still currently being monitored by the MDE agent. This could be due to the steps outlined above not being conducted correctly, or the offboarding package gathered from the Defender portal having reached its expiration period. Next steps will require that an investigation of process breakdown be conducted prior to attempting a re-execution of the procedure.
- If both checks return false, the agent is no longer on the machine and the MDE offboarding process was successful. Next steps will be to access the defender portal and exclude the device manually from the system once the offboarding verification process has been executed successfully, this procedure can be found here.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.