Comments on: Handling Inactive Devices in Microsoft Defender for Endpoint https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/ Practical Office 365 News, Tips, and Tutorials Tue, 28 May 2024 14:01:13 +0000 hourly 1 https://wordpress.org/?v=6.6.1 By: dn https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-294749 Tue, 28 May 2024 14:01:13 +0000 https://practical365.com/?p=56940#comment-294749 Hello, the best article regarding this topic! 🙂

So if device is “inactive” it will disappear from the portal after 180 days.
I assume that license is not in use in that case?

I did offboarding on some devices using local script and now those devices have Health state : “inactive” but Onboarding status: “onboarded”? Is that OK?

]]> By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Thijs Lecomte</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_293776'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_293776"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Thijs Lecomte</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-293776 Fri, 10 May 2024 08:11:31 +0000 https://practical365.com/?p=56940#comment-293776 In reply to Jamesy.

Correct – these filters need to be added manaully

]]> By: Jamesy https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-293613 Tue, 07 May 2024 14:46:48 +0000 https://practical365.com/?p=56940#comment-293613 Thanks for this article. We just rolled out a new tenant and came across this, however, adding the tags and groups does not impact the devices in the list automatically. They will still need filtered and this also does nothing for defender seeing them as vulnerable and unpatched. Or am I missing something?

]]> By: Lorenz https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-293039 Fri, 26 Apr 2024 14:35:27 +0000 https://practical365.com/?p=56940#comment-293039 ]]> Great post. Great comments.
A little light at the end of the tunnel. 😄

]]> By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Thijs Lecomte</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_291525'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_291525"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Thijs Lecomte</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-291525 Tue, 02 Apr 2024 06:38:24 +0000 https://practical365.com/?p=56940#comment-291525 In reply to Michael.

Unfortunately, this cannot be changed.

]]> By: Michael https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-291462 Sun, 31 Mar 2024 21:42:53 +0000 https://practical365.com/?p=56940#comment-291462 Hi,
Thanks for this. Is it possible to increase the inactive threshold from 7 days to 14, 28 etc?
7 days seems very short

Regards,
Michael

]]> By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Thijs Lecomte</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_290301'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_290301"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Thijs Lecomte</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-290301 Sat, 16 Mar 2024 13:56:42 +0000 https://practical365.com/?p=56940#comment-290301 In reply to Mini.

Why do you want to offboard them before enrolling them into Intune? Is there a reasoning behind this?

If you offboard them, the EDR connection will stop meaning the logs will be sent to the cloud instance. The local antivirus will still work.

There isn’t any user impact for offboarding, they wouldn’t notice

]]> By: Mini https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-289738 Fri, 08 Mar 2024 15:03:44 +0000 https://practical365.com/?p=56940#comment-289738 Hi All, if I will have to offboard all computers from MDE, then enroll intune through GPO (they have local AD) and then re-onboard them on MDE.

I know it could take the computers a week to disappear from MDE console.
The question is : If I offboard the computers, will they be still protected by MS Defender antivirus ?
and what is the impact of this for the users ? Will they have a pop up, message or other ?

]]> By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Thijs Lecomte</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_275702'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_275702"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Thijs Lecomte</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-275702 Wed, 27 Sep 2023 11:16:08 +0000 https://practical365.com/?p=56940#comment-275702 In reply to ANdrew.

Hi Andrew

If the service has stopped on the device, something else is going on. You will need to dig into the event logs why the service is stopping. Can you check the sense event viewer and tell me what you see?

]]> By: ANdrew https://practical365.com/handling-inactive-devices-in-microsoft-defender-for-endpoint/#comment-275662 Wed, 27 Sep 2023 00:31:21 +0000 https://practical365.com/?p=56940#comment-275662 So if your device is onboarded. it can reach MS endpoint servers but sensor is inactive in defender portal and the device SC QC Sense = stopped
is the only way to fix this is to onboard again?

]]>