I just Offloaded ATP on Server 2016 but registry still has "OnboardingState REG_DWORD 0x1"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status OnboardingState should be 0x0 when offboarded as far as I can tell.
I expect that value to be 0x0 when Defender ATP is offboarded.
I off boarded using the script found at bottom of page on this site: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide#offboard-server-endpoints
I ran this script with elevated rights and provided my workspaceid in script
$ErrorActionPreference = "SilentlyContinue"
Load agent scripting object
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
Remove OMS Workspace
$AgentCfg.RemoveCloudWorkspace("WorkspaceID")
Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration()
Server in MS Security Center shows Timeline has stopped updating so it appears to be offboarded but the registry key is not as expected.