offboard-machines.md

---

title: Offboard devices description: Onboard Windows devices, servers, non-Windows devices from the Microsoft Defender for Endpoint service ms.service: defender-endpoint ms.author: painbar author: paulinbar ms.localizationpriority: medium manager: bagol audience: ITPro ms.collection:

• m365-security
• tier2 ms.topic: article ms.subservice: onboard search.appverid: met150 ms.date: 10/20/2025 appliesto:
  • Microsoft Defender for Endpoint Plan 1
  • Microsoft Defender for Endpoint Plan 2
  • Microsoft Defender Vulnerability Management
  • Microsoft Defender for Business

---

Offboard devices

When you offboard a device from Defender for Endpoint, no new detections, vulnerability, or security data are sent to the Microsoft Defender portal. Seven days after offboarding a device, its status changes to inactive. Devices that weren't active within the past 30 days are not factored into your organization's exposure score.

Past data, such as alerts, vulnerabilities, and the device timeline, for an offboarded device is displayed in the Microsoft Defender portal until the configured retention period expires. You also see the device profile (without data) in the device inventory for up to 180 days. To view data for active devices only, you can use filters, such as sensor health state, device tags, or device groups.

Prerequisites

Supported operating systems

• Windows client devices
• Windows Server 2012 R2 and later
• Azure Stack HCI OS, version 23H2 and later
• Mac devices
• Linux servers

Offboard Windows client devices

In the Microsoft Defender portal, in the navigation pane, select Settings > Offboard, and then select an operating system to start the offboarding process.

You can also use other methods, such as:

• Offboard devices using a local script
• Offboard devices using Group Policy
• Offboard devices using Mobile Device Management tools

Offboard servers

In the Microsoft Defender portal, in the navigation pane, select Settings > Offboard, and then select an operating system to start the offboarding process.

You can also use other methods, such as:

• Offboard devices using Group Policy
• Offboard devices using Configuration Manager
• Offboard devices using Mobile Device Management tools
• Offboard devices using a local script

Offboard Mac devices

In the following procedure, steps 1 and 2 are optional if you do not want to see these devices that are retired in the "Device inventory" for 180 days.

1. Create a device tag, and name the tag decommissioned. Assign the tag to the Mac devices that you want to offboard from Defender for Endpoint.

2. Create a Device group and name it something like, Decommissioned Mac. Assign this tag to an appropriate user group.

3. Remove policies for Tamper Protection. See Set preferences on Mac: Tamper protection or use manual configuration.

4. In the Microsoft Defender portal, in the navigation pane, select Settings > Endpoints > Device management > Offboarding, and then select an operating system to start the offboarding process.

   Or, if you're using a non-Microsoft device management solution, disable integration with Defender for Endpoint.

   :::image type="content" source="media/offboard-machines/remove-endpoint.png" alt-text="Screenshot that shows how to offboard endpoints in the Microsoft Defender portal. " lightbox="media/offboard-machines/remove-endpoint.png":::

5. Uninstall the Defender for Endpoint app on Mac devices.

6. Remove Mac devices from the group for system extension policies if an MDM was used to set them.

Offboard Android or iOS devices

To offboard an Android or iOS device, uninstall the Microsoft Defender app on the device.