Forum Discussion
Solved
MUST be able to delete duplicate/orphaned devices from M365 Security Center
Good morning, I am about 2-3 weeks into evaluating Microsoft Defender for Endpoint, and so far have about 4 Windows 10 devices onboarded and managed through InTune policies. One of the test m...
- AFAIK, TVM data only includes data from computers that have been active in the last 30 days.
Microsoft doesn't provide the ability to remove devices because it's extremely dangerous. If an attacker would get permissions on your cloud instances, he could remove all his tracks. The devices are retained for forensic purposes.
Best options it to tag an offboarded machine and create an 'Inactive' machine group for it
AFAIK, TVM data only includes data from computers that have been active in the last 30 days.
Microsoft doesn't provide the ability to remove devices because it's extremely dangerous. If an attacker would get permissions on your cloud instances, he could remove all his tracks. The devices are retained for forensic purposes.
Best options it to tag an offboarded machine and create an 'Inactive' machine group for it
Microsoft doesn't provide the ability to remove devices because it's extremely dangerous. If an attacker would get permissions on your cloud instances, he could remove all his tracks. The devices are retained for forensic purposes.
Best options it to tag an offboarded machine and create an 'Inactive' machine group for it
In Device Inventory, all of the data associated with a machine is shown, except for DeviceID, which only shows on a .csv export. Very annoying.
We have a number of inactive devices, all with different DeviceIDs but the same DeviceName. This way I can tell that the devices are different. I can also go off of the Last Seen dates, as the latest date is obviously the current Active device. I find this issue arises after a device has been reimaged and reissued to another user.
I tried tagging an inactive device, but unless I'm missing something, tags and DeviceID don't show in the Security Recommendations Window or the .csv download of Exposed Devices either. So there's no way of knowing whether the alerts are for a duplicate device, or the current Active device.
I started off trying to fix issues with over 20 devices not being able to contact Defender. I then realised there were duplicates of reimaged devices. I then realised that one of those was a genuine issue with connection. Something I very nearly missed.
This isn't a feature, it's a glitch. It needs fixing.
We have a number of inactive devices, all with different DeviceIDs but the same DeviceName. This way I can tell that the devices are different. I can also go off of the Last Seen dates, as the latest date is obviously the current Active device. I find this issue arises after a device has been reimaged and reissued to another user.
I tried tagging an inactive device, but unless I'm missing something, tags and DeviceID don't show in the Security Recommendations Window or the .csv download of Exposed Devices either. So there's no way of knowing whether the alerts are for a duplicate device, or the current Active device.
I started off trying to fix issues with over 20 devices not being able to contact Defender. I then realised there were duplicates of reimaged devices. I then realised that one of those was a genuine issue with connection. Something I very nearly missed.
This isn't a feature, it's a glitch. It needs fixing.
- I am not sure I understand the issue?
You can tag the device and create a machine group based on that tag. Within device inventory, you can then filter out the inactive machine group.
If old entries of devices that are reimaged would be removed, the old data of the device would be lost. That's a huge security risk?- The issue is that the TVM only shows device name, so you can't tell if the security recommendation is for a current or old device. It should just show the tags you applied in device inventory rather than just device name. I know you can tag and add to a machine group, but this seems like more effort than needs be.
- TVM only takes into account devices which have been active in the last 30 days. So this shouldn't be that big of an issue IMO?
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tvm-security-recommendation?view=o365-worldwide#security-recommendations-overview
If it is, creating the machine group is your only option