Share via

Need to offboard the Windows Defender from Windows Servers

agarwal utkarsh (Contractor) 0 Reputation points
2025-01-28T07:43:17.5966667+00:00

hello all,

In our organization we have a S1 agent installed on the Windows servers running on Azure, therefore I need to uninstall the Microsoft defender completely from the servers, but even after remove the role for Windows Defender the services related to Defender still running.

Can anyone help how to offboard the Defender from the server completely, also MS support suggested to use the offboarding script but we don't have that

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,623 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,475 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 11,875 Reputation points Microsoft Vendor
    2025-01-28T11:29:27.3033333+00:00

    Hello @agarwal utkarsh (Contractor),

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you are looking to completely offboard Windows Servers from Defender for Endpoint. To offboard any device, please refer to the following document: Offboarding machines from Microsoft Defender for Endpoint

    If you prefer to offboard devices using a local script, you can follow the steps outlined in this document: Offboarding machines using a local script

    I’d like to know how many devices you are planning to offboard from Defender for Endpoint. If you are offboarding up to 10 devices, using a local script is a viable option. However, if you need to offboard more than 10 devices, you should use other available methods such as Mobile Device Management (MDM) tools, Configuration Manager, or Group Policy. Detailed steps for these methods are provided in the following guide: Configuring server endpoints in Defender for Endpoint

    Verifying offboarding when using a script:

    After running the offboarding script on a device, you can check the results as follows:

    1. Click Start, type Event Viewer, and press Enter.
    2. Navigate to Windows Logs > Application.
    3. Look for an event from the WDATPOnboarding event source.

    The event details will indicate whether the offboarding was successful.

    User's image

    Post-offboarding behavior:

    Once a device is offboarded, it may still appear in the devices list in the portal. After seven days of no cyber data activity (e.g., if the machine is offboarded, turned off, or disconnected), its health state will change to inactive. This behavior is documented here: Fix unhealthy sensors in Defender for Endpoint

    For security purposes, offboarded devices will remain visible in the portal as a historical record for up to 180 days. However, their data will be purged in accordance with your retention policy. In summary:

    • Machines will disappear from the portal after becoming inactive (seven days with no data activity).
    • Devices will be fully removed no later than 180 days after ceasing to send data to the cloud.

    Please let me know if you are encountering any specific errors while offboarding the devices. We can address this issue offline to troubleshoot further. Feel free to send me an email at [AzCommunity@microsoft.com] with the subject line "Attn: Pothurajur" and include a link to this thread for reference.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Thanks,
    Raja Pothuraju.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.