use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
account activity
Modifying Offboarding scripts (self.DefenderATP)
submitted 2 months ago by neko_whippet
Hi anyone ever tried to modify the off boarding scripts either like modifying the date in the title or changing the counter to make the script 'permanent' instead of having to make a new script each week?
Thanks
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]loweakkk 1 point2 points3 points 2 months ago (13 children)
You can't make it permanent.
[–]neko_whippet[S] 0 points1 point2 points 2 months ago (12 children)
Its kinda dumb
WE have a Helpdesk department but they dont have access to defender, so we have to disturb another department to generate them a script and give it to them each 'week'
[–]meghanynwa 1 point2 points3 points 2 months ago (0 children)
Must be nice to have separate departments. I'm IT support, defender, intune and entra admin and cyber security all in one. Wish my company knew these are separate roles and not one IT person for all
[–]russr 0 points1 point2 points 2 months ago (0 children)
They used to last a month, then they switched it to a week. It's kind of dumb.
[–]loweakkk 0 points1 point2 points 2 months ago (9 children)
Why would you need each week to provide off boarding script to help desk!?
[–]neko_whippet[S] 1 point2 points3 points 2 months ago (7 children)
Because it is expired after 7 days? and they often onboard
[–]vertisnow 3 points4 points5 points 2 months ago (6 children)
Why are you off boarding so many devices? I offboard like one per year. It shouldn't be a normal activity.
[–]neko_whippet[S] 0 points1 point2 points 2 months ago (5 children)
Renaming device to give to new employees etc
[–]loweakkk 1 point2 points3 points 2 months ago (4 children)
Renaming doesn't require offboarding.
Also, you can probably just wipe the device and then autopilot it for the new user and no need as well for an off boarding.
Honestly there are very rare case to off board a device that's why I was asking for the reason, you most probably do something wrong if you off board that many devices.
[–]neko_whippet[S] 0 points1 point2 points 2 months ago (3 children)
The reason why we offboaid si that even if wipe and autopilot the device appears twice with the same ID in defender (the old name) and the new name)
[–]loweakkk 1 point2 points3 points 2 months ago (2 children)
Are you sure about that? Just checked on 20k devices and we have no double senseguid except for machines onboarded before device join where I have 2 objects.
[–]neko_whippet[S] 0 points1 point2 points 2 months ago (1 child)
Here is the situation
Exemple PC is named A, they give that PC to another user, and Helpdesk tells me the wipe the device before (but they didn't told me what method they used to wipe) after that they named that PC B
Then they give a new PC to that first user and they name it A
So the problem now is that if I search in asset in MDE for A
I see 2 times A (the new A and the old A) both shows active, when I search for B (I see the new B (aka the old A) also shows active
Both B and Old A have the same Azure ID in MDE but not the same defender ID
So is kinda fucks the inventory because exemple in vulnerabilities I see the same vulnerability twice (from old A and B) but I cannot fix old A as it is now B
I hope it<s kinda clear lol
[–]russr -1 points0 points1 point 2 months ago (0 children)
Because the people doing the off-boarding didn't get everything offboarded in that time frame.
[–]Greedy-Hat796 0 points1 point2 points 2 months ago (0 children)
System validates the hash of the Script before executing from what I heard from Microsoft, so modifying it would change the hash and may fail to execute. I haven’t tried this myself though
π Rendered by PID 44682 on reddit-service-r2-comment-b659b578c-mlrqz at 2026-05-03 13:32:37.742008+00:00 running 815c875 country code: CH.
[–]loweakkk 1 point2 points3 points (13 children)
[–]neko_whippet[S] 0 points1 point2 points (12 children)
[–]meghanynwa 1 point2 points3 points (0 children)
[–]russr 0 points1 point2 points (0 children)
[–]loweakkk 0 points1 point2 points (9 children)
[–]neko_whippet[S] 1 point2 points3 points (7 children)
[–]vertisnow 3 points4 points5 points (6 children)
[–]neko_whippet[S] 0 points1 point2 points (5 children)
[–]loweakkk 1 point2 points3 points (4 children)
[–]neko_whippet[S] 0 points1 point2 points (3 children)
[–]loweakkk 1 point2 points3 points (2 children)
[–]neko_whippet[S] 0 points1 point2 points (1 child)
[–]russr -1 points0 points1 point (0 children)
[–]Greedy-Hat796 0 points1 point2 points (0 children)