How to Remove Computers from 365 Defender “Device Inventory”

If you can’t act on a device, for example if it’s offboarded or a duplicate, you can choose to have it excluded from threat and vulnerability management views.

Excluded devices won’t be visible in any of the vulnerability management pages and reports, and they won’t have updated or relevant information about vulnerabilities.

Not being able to remove devices from the portal is by design.

Defender for Endpoint will keep the machine record until it ages out of the retention period to avoid cases where the machine may be found out later to be involved in a security incident.

You can just filter these machines out of the device list by either using the “active” machine filter (machines will turn inactive after several days with no activity) or tag/exclude them to filter them out.

As ever it looks like you can do a bit more with the API (although I wouldn’t recommend this approach, I would just exclude the machine):

1: Go to: https://securitycenter.windows.com/interoperability/api-explorer

2: select POST from the dropdown menu

3: fill in this in the field after POST: https://api.securitycenter.microsoft.com/api/machines/0b103afb-7b26-4h56-9g57-93a9d2196e0/offboard

Make sure to fill in the correct ID which can be found at the device inventory page

4: In the text field below, you can paste this text:

{ “Comment”: “Offboard machine by automation” }

5: click Run Query. It will take a while before the device is removed.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api

Ref:

Remove computers from 365 Defender “device Inventory” : r/microsoft365 (reddit.com)

Remove Inactive Devices in MDATP – Portal (security.microsoft.com) : Intune (reddit.com)

Offboard non existing devices from Security Center : DefenderATP (reddit.com)