Microsoft Defender XDR – Offboarding scripts will now expire in 3 days and not 30 days

Last Updated on February 21, 2024 by Michael Morten Sonne


In a proactive move to give us better security measures, there is now a change in the Microsoft Defender XDR portal rolling out I have tested before in private preview as a valued member of the Microsoft Customer Connection Program under NDA! 🥳

This introduced a crucial change regarding the expiration time for offboarding scripts. This adjustment aims to enhance the overall security posture of organizations utilizing this feature. Below, we delve into the specifics of this change and how it may impact your organization 🤓

This is to shorten the attack window if the offboarding blob is etc. stolen or got in the wrong hands 🔐

If you hace access to the Message Center in the Microsoft 365 Admin center, you can read about this in the message MC716388 – here is a direct link to it also if needed: Message center – Microsoft 365 admin center

Understanding the change

  • Modification in the expiration time for offboarding scripts – when it´s expired, it can´t offboard devices from the targeted tenant 🔐🦺
  • Previously set at a 30-day timeframe, the new policy shortens this to a more secure 3-day period.

Implementation timeline

  • Public Preview: The change is currently available for organizations.
  • Release: Starting February 2024, the rollout is expected to be completed by late March 2024.

Impact on organizations

  • An exploration of how this adjustment might impact the daily operations and security protocols of your organization, especially if you utilize SCCM and other tools to deploy changes in your infrastructure, as three days may not always be sufficient time for all scenarios, it is crucial to assess the potential implications thoroughly.
  • Consideration of potential challenges and benefits stemming from the shortened expiration timeframe.

Preparation guidelines:

  • No immediate action is required to adapt to this change – it´s all happening automaticly in the Microsoft backend 🆓
  • Updating etc. relevant internal documentation to reflect the new expiration timeframe is a need.
  • Introduction of the Defender for Endpoint offboarding API as an alternative solution, in case any issues arise during the offboarding process and clarificati on how the offboarding API can be leveraged effectively as a contingency measure.
    Read more about that here: Offboard machine API | Microsoft Learn

Looking ahead

  • Reflection on the long-term implications of this security enhancement.
  • Consideration of how this change aligns with broader industry trends and best practices.

The change in the portal

Once the feature is available on your tenant, go to the Microsoft Security Portal > Settings > Device Management> offboarding

The direct link is here too: Endpoints – Microsoft Defender

Here you have some options to download 4 types of packages – Local Script (.cmd), Group Policy, Microsoft Endpoint Configuration Manager and Mobile Device Management (Intune)

Here you can see the change – now it expire in 3 days
Pop-up confirming the download and the expirey date for the Local Script in this view

The format of the downloaded .zip file with the .cmd script in for the Local Script type is: (YYYY-MM-DD is the expiry date of the package downloaded).

Sending offboarding packages that have expired to a device will result in the failure of the device offboarding process.

Now you can run the script to offboard your devices from Defender for Endpoint – the next 3 days 😉


A recap of the key points and a final encouragement for organizations to stay vigilant and proactive in adapting to evolving security measures.

    By providing coverage of the change here, its timeline, and the necessary steps for preparation, this blog post aims to guide organizations through a smooth transition while emphasizing the importance of heightened security measures in today’s digital landscape.

    I appreciate the positive and welcome nature of this change, but I hope that in the future, it might be possible to set a custom expiry date? 🤞

    Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍

    Stay tuned for the new post about something cool! 🥳


    Onboard Windows devices using a local script | Microsoft Learn

    Offboard machine API | Microsoft Learn

    Previous Article

    Microsoft maked the source code for MS-DOS and Word for Windows available to the public

    Next Article

    Entra ID - Global Secure Access Client - Installation of the Agent on Windows - Part 2

    Related Posts

    Discover more from Sonne´s Cloud

    Subscribe now to keep reading and get access to the full archive 🤝🧑‍💻

    Join 15 other subscribers