Hands-On Offboarding for MDE (Windows Server)

Gather Windows Server Local MDE Offboarding Package

Navigate to the Endpoint Offboarding – Microsoft Defender portal, from this page specify the Operating System as Windows Server 2019 and 2022, Deployment Method as Group Policy.
Once the proper selections have been made, locate, and select Download Package. A disclaimer will be displayed upon selection, we will want to consent for this action by selecting Download. This should initiate a WindowsDefenderATPOffboardingPackage_valid_until_YYYY-MM-DD.zip folder install that should be stored to the Downloads folder on the User account.
We will want to extract the contents of the package, the extracted .zip folder should house a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.
After the extraction process has been completed, we will want to relocate the .cmd file to a location where the file can be accessed by the desired Windows Server that are wishing to offboard from MDE monitoring, this can be done by uploading the file to a trusted SharePoint, Outlook email, or USB.

Deploy Windows Server MDE Local Offboarding Package

On the desired Windows Server, we will first want to verify that the WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd file is housed on a desired directory on the server.
Once we have verified that the .cmd file is present on the device, we will want to right click the file from the file explorer session and select the Run as administrator option. This will initiate an elevated command prompt that will run the necessary offboarding scripts to sever communication for the MDE Agent with Microsoft Services.
Running this script should initiate an elevated session to run for execution of the offboarding code. After a few seconds the session will close automatically, we will proceed to leveraging detection commands to verify that the service tied to the MDE agent is no longer present on the Server.

Assessing a Windows Server MDE Local Offboarding Deployment

Utilizing the Windows Search functionality within the search field provide Command Prompt, right click the returned result, and select the Run as Administrator option to initiate an elevated command line session.
Once the elevated session is generated, we will want to supply the following command below into the session to verify that the sense service initiated by the presence of the MDE agent on the Server is no longer running. This command should return the sense service in the stopped state, the Windefend service will remain in the running state since this is the native anti-virus on the server.

Command

sc.exe query Windefend && sc.exe query sense
Depending on the results there will be two different paths forward:
1. If the command returns that the sense service is no longer running on the machine, the agent is no longer on the server and the MDE offboarding process was successful. Next steps will be to access the defender portal and exclude the device manually from the system once the offboarding verification process has been executed successfully, this procedure can be found here.
2. If the command returns that the sense process is still running, that indicates that the agent is still active and connected to an organization, that means that the MDE agent has not been successfully removed and the server is still currently being monitored by the MDE agent. This could be due to the steps outlined above not being conducted correctly, or the offboarding package gathered from the Defender portal having reached its expiration period. Next steps will require that an investigation of process breakdown be conducted prior to attempting a re-execution of the procedure.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.