question

JediIAM-5441 avatar image
0 Votes"
JediIAM-5441 asked DaisyZhou-MSFT commented

I just Offloaded ATP on Server 2016 but registry still has "OnboardingState REG_DWORD 0x1"

I just Offloaded ATP on Server 2016 but registry still has "OnboardingState REG_DWORD 0x1"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status OnboardingState should be 0x0 when offboarded as far as I can tell.
I expect that value to be 0x0 when Defender ATP is offboarded.

I off boarded using the script found at bottom of page on this site: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide#offboard-server-endpoints

I ran this script with elevated rights and provided my workspaceid in script
$ErrorActionPreference = "SilentlyContinue"

Load agent scripting object

$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg

Remove OMS Workspace

$AgentCfg.RemoveCloudWorkspace("WorkspaceID")

Reload the configuration and apply changes

$AgentCfg.ReloadConfiguration()

Server in MS Security Center shows Timeline has stopped updating so it appears to be offboarded but the registry key is not as expected.

windows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JediIAM-5441,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
JediIAM-5441 avatar image
0 Votes"
JediIAM-5441 answered DaisyZhou-MSFT commented

The server was rebooted last night and the registry key is still showing 0x1.
There is no folder named "Windows Defender Advanced Threat Protection" in the program files folder and it does not show up in Control Panel>Programs and Features.
It has been successfully off-boarded.

Just surprised to se the registry key still showing 0x1.

Thank you for your assistance. I will possibly open a new post in the forum you mentioned.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JediIAM-5441,

Thank you for your update.

Hope the engineer in that forum can provide further help to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @JediIAM-5441,

Thank you for posting here.

1.Have you restarted the server after you offloaded ATP on Server 2016? If so, we can try to restart the machine to see if it helps.

2.If have already restarted the machine, you can try to check if ATP is still under installed programs or application under Control Panel.

3.After my research, you can refer to the similar case below to check.

Remove devices from MDATP portal
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/remove-devices-from-mdatp-portal/m-p/1407884

If it does not work above, I suggest you open a new post in the microsoft defender for endpoint forum, so that a dedicated support professional can further assist you with this request.

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/ct-p/MicrosoftSecurityandCompliance


Hope the information above is helpful.

Thank you for your understanding and support.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.