Offboarding Windows Defender for Endpoint (MDE) During Migration
How to properly package and execute the Microsoft Defender for Endpoint offboarding script within a PowerSyncPro Runbook.
Table of Contents
The Scenario
When migrating workstations to a new Entra tenant, devices protected by Microsoft Defender for Endpoint (MDE / WDATP) must be offboarded from the source tenant before they can be successfully onboarded to the target tenant's security portal.
PowerSyncPro facilitates this by allowing administrators to attach a "Command Line Package" to the Startup phase of a migration Runbook. This package is a .zip file containing a cmdline.cmd wrapper and the payload script, which the PowerSyncPro Migration Agent automatically executes on the device.
The Two Challenges of MDE Offboarding
When utilizing PowerSyncPro to orchestrate the MDE offboarding process, administrators must navigate two specific challenges regarding the Microsoft-provided script:
1. The 7-Day Script "Timebomb"
For security reasons, the local offboarding script downloaded from the Microsoft 365 Defender portal is timebombed. The script will expire exactly 7 days after it is downloaded.
If you attempt to execute an expired script during a migration, the offboarding will fail. Therefore, you must generate, download, and package the offboarding script into your PowerSyncPro Runbook shortly before your scheduled migration batches begin.
2. The Runbook "Hanging" Issue (Non-Interactive Session)
By default, the PowerSyncPro Migration Agent executes cmdline.cmd as the local SYSTEM account in a completely non-interactive session (with no console and no logged-on user).
If you call the Microsoft offboarding script normally from within your wrapper, the runbook step will never complete. The PowerSyncPro logs will show that the offboarding script successfully ran, and the machine will actually be offboarded, but control is never returned to the PowerSyncPro Agent, leaving the migration process hung indefinitely. This occurs because the Microsoft script is secretly waiting for standard input (stdin) that can never be provided in a headless, non-interactive session.
The Solution: Using Input Redirection (< nul)
To prevent the migration from hanging, you must wrap the execution of the MDE offboarding script using standard input redirection (< nul). This explicitly feeds a null input to the script, instantly satisfying any hidden prompts and allowing the process to gracefully exit and return control to PowerSyncPro.
Step-by-Step Configuration
- Download the Script: Download the latest local offboarding script from the Microsoft Defender portal. (Remember, it is only valid for 7 days).
-
Create the Wrapper: In the same folder as your downloaded script, create a new text file and name it
cmdline.cmd. -
Add the Code: Edit
cmdline.cmdand add the following lines. (Be sure to update the filename to match the exact name of the script you downloaded from Microsoft):
@echo off
call ".\WindowsDefenderATPOffboardingScript_valid_until_2026-07-02.cmd" < nul
exit /b %errorlevel%
-
Package the Zip: Select both
cmdline.cmdand theWindowsDefenderATPOffboardingScript_valid_until_2026-07-02.cmdfile, right-click, and compress them into a.zipfile. -
Attach to Runbook: In the PowerSyncPro admin portal, navigate to your Runbook's Startup tab and upload your newly created
.zipfile.
By using the < nul redirection technique, the MDE offboarding will complete silently in the background, and the PowerSyncPro Migration Agent will seamlessly proceed to the next phase of the workstation migration.