Event details
MicrosoftHi stdcsb - What you’re seeing is known Hybrid + Autopilot behavior, not a misconfiguration. From Defender’s point of view, MDE ingests telemetry before the final rename / hybrid join completes and the initial Windows-generated name (Desktop-xxxxx) is what Defender sees first. When the device later renames and hybrid‑joins, MDE creates a second record. Entra eventually reconciles this, but Defender preserves both instances.
Even though you cannot fully eliminate the duplicates, there are some ways to address this behavior. For instance, you can leverage Hardware UUID as the key identifier as it will be the same for both entries. Defender, Entra, and Intune all expose that value. You can also create rules to exclude the inactive/older Desktop-xxxx devices within Vulnerability Management and setup up rules to reduce the noise from alerts related to them.
Thank you for confirming this is not a misconfiguration issue. However, this undocumented feature initially resulted in an inordinate loss of time while trying to determine the source of these potential rogue devices showing up on our network. I even opened a case with Microsoft Support who went round in circles and never got anywhere. I eventually just gave up and only began to suspect the behavior correlated with Autopilot over time. It would be greatly appreciated if this issue was highlighted in the onboarding documentation.