Contact Sales

To contact our sales team, you can use the form below. Do not use this form for tickets or help desk, click here to create a ticket.

Synchronise and migrate users and workstation between on-prem AD, Entra ID, Google the easy way. Seamlessly Move devices between AD Joined, Hybrid and Entra Joined.
  • Create ticket
  • Home
  • Migration Agent

Offboarding Windows Defender for Endpoint (MDE) During Migration

How to properly package and execute the Microsoft Defender for Endpoint offboarding script within a PowerSyncPro Runbook.

Written by Jamie Richard

Updated at July 1st, 2026

Contact Sales

To contact our sales team, you can use the form below. Do not use this form for tickets or help desk, click here to create a ticket.

  • Getting Started
  • FAQs
  • API Documentation
  • Integrations
  • Migration Agent
  • Directory Synchronisation
  • Remote DC agent
  • Remote Password Sync Agent
  • Install and Configure
  • Support
  • Complex Expressions
+ More

Table of Contents

The Scenario The Two Challenges of MDE Offboarding 1. The 7-Day Script "Timebomb" 2. The Runbook "Hanging" Issue (Non-Interactive Session) The Solution: Using Input Redirection (< nul) Step-by-Step Configuration

The Scenario

When migrating workstations to a new Entra tenant, devices protected by Microsoft Defender for Endpoint (MDE / WDATP) must be offboarded from the source tenant before they can be successfully onboarded to the target tenant's security portal.

PowerSyncPro facilitates this by allowing administrators to attach a "Command Line Package" to the Startup phase of a migration Runbook. This package is a .zip file containing a cmdline.cmd wrapper and the payload script, which the PowerSyncPro Migration Agent automatically executes on the device.


The Two Challenges of MDE Offboarding

When utilizing PowerSyncPro to orchestrate the MDE offboarding process, administrators must navigate two specific challenges regarding the Microsoft-provided script:

1. The 7-Day Script "Timebomb"

For security reasons, the local offboarding script downloaded from the Microsoft 365 Defender portal is timebombed. The script will expire exactly 7 days after it is downloaded.

If you attempt to execute an expired script during a migration, the offboarding will fail. Therefore, you must generate, download, and package the offboarding script into your PowerSyncPro Runbook shortly before your scheduled migration batches begin.

2. The Runbook "Hanging" Issue (Non-Interactive Session)

By default, the PowerSyncPro Migration Agent executes cmdline.cmd as the local SYSTEM account in a completely non-interactive session (with no console and no logged-on user).

If you call the Microsoft offboarding script normally from within your wrapper, the runbook step will never complete. The PowerSyncPro logs will show that the offboarding script successfully ran, and the machine will actually be offboarded, but control is never returned to the PowerSyncPro Agent, leaving the migration process hung indefinitely. This occurs because the Microsoft script is secretly waiting for standard input (stdin) that can never be provided in a headless, non-interactive session.


The Solution: Using Input Redirection (< nul)

To prevent the migration from hanging, you must wrap the execution of the MDE offboarding script using standard input redirection (< nul). This explicitly feeds a null input to the script, instantly satisfying any hidden prompts and allowing the process to gracefully exit and return control to PowerSyncPro.

Step-by-Step Configuration

  1. Download the Script: Download the latest local offboarding script from the Microsoft Defender portal. (Remember, it is only valid for 7 days).
  2. Create the Wrapper: In the same folder as your downloaded script, create a new text file and name it cmdline.cmd.
  3. Add the Code: Edit cmdline.cmd and add the following lines. (Be sure to update the filename to match the exact name of the script you downloaded from Microsoft):
@echo off
call ".\WindowsDefenderATPOffboardingScript_valid_until_2026-07-02.cmd" < nul
exit /b %errorlevel%
  1. Package the Zip: Select both cmdline.cmd and the WindowsDefenderATPOffboardingScript_valid_until_2026-07-02.cmd file, right-click, and compress them into a .zip file.
  2. Attach to Runbook: In the PowerSyncPro admin portal, navigate to your Runbook's Startup tab and upload your newly created .zip file.

By using the < nul redirection technique, the MDE offboarding will complete silently in the background, and the PowerSyncPro Migration Agent will seamlessly proceed to the next phase of the workstation migration.

offboarding migration

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Windows Hello for Business (WHfB) Considerations During Migration
  • Handling SCCM / MECM and Co-Management During Workstation Migrations
  • How-To Migrate Workgroup Joined Endpoints to AD / Entra

Subscribe to Newsletter

Drop your email in the box below to sign up. We promise to keep our updates relevant and useful – and we’ll never share your details.

PowerSyncPro's logo

PowerSyncPro is the ultimate product for easing the pain and frustration during mergers, acquisitions, divestitures, and consolidations.

Terms & Conditions

  • FAQs
  • Privacy Policy
  • Cookies
  • Anti Slavery Notice

PowerSyncPro

  • Case Studies
  • Contact sales
  • Marketplace
  • EULA

Get Connected

Room 73, Wrest House, Wrest Park, Silsoe, Bedford, England, MK45 4HR
info@powersyncpro.com

Twitter Youtube Linkedin

Expand