Offboarding a Device from MDE with a Deleted Tenant ID

Danish Batliwala 0 Reputation points
2024-03-28T09:33:03.83+00:00

I have a device that was onboarded to MDE under a DemoTenant that no longer exists. Now, I want to offboard it and onboard it to a new tenant. Can someone please assist?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,449 questions
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
17 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,046 Reputation points Microsoft Employee
    2024-03-29T00:11:46.71+00:00

    Hi @Danish Batliwala ,

    If you want to offboard the device from Microsoft Defender for Endpoint from the deleted tenant, you should be able to achieve from the device itself using a local script as documented in Offboard devices using a local script:

    1. Get the offboarding package from Microsoft Defender portal:
      1. In the navigation pane, select Settings > Endpoints > Device management > Offboarding.
      2. Select Windows 10 or Windows 11 as the operating system.
      3. In the Deployment method field, select Local Script.
      4. Select Download package and save the .zip file.
    2. Extract the contents of the .zip file to a shared, read-only location that devices can access. You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.
    3. Open an elevated command-line prompt on the device and run the script:
      1. Go to Start and type cmd.
      2. Right-click Command prompt and select Run as administrator. The Windows Start menu pointing to the Run as administrator option
    4. Type the location of the script file. If you copied the file to the desktop, type: %userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd
    5. Press the Enter key or select OK.

    Note that offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had, will be retained for up to 6 months. In your case this should apply though since the portal is already deprecated.

    If this does not work or you face any errors, let me know.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.


  2. Gokul Lal 0 Reputation points
    2024-07-26T08:46:13.52+00:00

    I am facing a similar issue, since the device is onboarded to a different organization ID, the offboarding script from the new Defender portal is causing errors

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.