We're trying to configure Microsoft Defender for our Intune devices, and the Org ID viewable on security.microsoft.com's Settings > Microsoft Defender XDR does not match the Org ID found when running Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". This has happened to two of our autopilot laptops, and they both end up with the same Org ID. It just doesn't match the OrgID we want it to, and therefore doesn't get the policies we're trying to configure as Intune can't determine the "Risk factor" of the device.

Can someone help me determine where these laptops are getting this other OrgID from so that we can put a stop to it?

• We don't have any scripts configured on Intune, just two that were included from Microsoft; "Restart stopped Office C2R srv" (disabled) and "Update stale Group Policies" (enabled).

• We tried changing the OrgID manually by turning off the connector from Intune to Defender, so that the devices didn't get enrolled into Defender automatically. Then downloaded and ran an offboarding script, re-enabled the connector, and then Intune detected a device not enrolled with Defender and enrolled it appropriately with the correct OrgID. But then after one restart, the OrgID changed back to the same unrecognised one.