Quick guide on remediating lingering device records for locally MDE joined machines that have successfully carried out the offboarding process.
Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
This indicates that even if the device has successfully executed the offboarding scripts locally, the device record within the cloud environment can still be present in the Defender Portal for an extended period of time.
Creating a Device Exclusion After MDE Offboarding
- Navigate to the Device Inventory – Microsoft Defender portal, here we will want to locate the device that has successfully completed the local offboarding process. Selecting the device will display a pop-out outlining the system information. We will want to select the three dots option to view more actions, from the generated list we will want to locate and select Exclude.
- Selecting Exclude with display another pop-up where you will need to provide justification and consent for the selected action. Under the Justification drop down specify Inactive Device, and under the Notes section outline that the device has been offboarded from services and is no longer being monitored. Once the selections have been made, select Exclude Device.
- There will be a final consent prompt that will be displayed, select Exclude devices to finalize the Device Exclusion Process.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.