This means that offboarding is not an efficient way to manage reimaged/repurposed devices. Instead, the device switches to an ‘inactive’ state 7 days after offboarding. It is important to understand that offboarding a device does not remove a device from the inventory. Through the offboarding API (supported for Windows 10 and Windows Server 2019).Locally, by running an offboarding script on a device (supported for macOS, Linux, and Windows (Server)).Two different ways exist to offboard devices: This sounds interesting at first, but it won’t work in our case. Offboarding devices is a potential solution. This kind of process will increase the number of duplicates significantly. No one would be able to verify what the attacker did, as the logs of a device disappear when the device is removed.Īlthough the logic makes sense, it can be tricky to manage inactive devices, especially if you reimage devices regularly and issue new laptops regularly. If an attacker gets a foothold into the environment, they could remove all devices to cover their tracks. After all, administrators can remove devices from Azure AD and Intune, but why not from Microsoft Defender? The reason is simple: if an administrator can permanently remove devices, an attacker can too. As an IT admin, this might sound strange. Inactive devices remain in the inventory until the configured retention period lapses. It is important to note that there is no way to force the removal of devices from Microsoft Defender for Endpoint.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |