Event details
Context: Active Directory / Entra hybrid joined environment with E5 licenses, MDE and Autopilot used to onboard devices. Currently when we onboard devices they create duplicates in both Entra and MDE. But at least in Entra the duplicate devices wind up with the same device name. But when the duplicate devices show up in MDE their name begins with the generic "Desktop-*****", which I then need to constantly verify via reverse lookup using their MAC address and then follow the next step of excluding these from MDE as duplicates.
Please advise. Thanks.
Hi stdcsb - What you’re seeing is known Hybrid + Autopilot behavior, not a misconfiguration. From Defender’s point of view, MDE ingests telemetry before the final rename / hybrid join completes and the initial Windows-generated name (Desktop-xxxxx) is what Defender sees first. When the device later renames and hybrid‑joins, MDE creates a second record. Entra eventually reconciles this, but Defender preserves both instances.
Even though you cannot fully eliminate the duplicates, there are some ways to address this behavior. For instance, you can leverage Hardware UUID as the key identifier as it will be the same for both entries. Defender, Entra, and Intune all expose that value. You can also create rules to exclude the inactive/older Desktop-xxxx devices within Vulnerability Management and setup up rules to reduce the noise from alerts related to them.