I have recently being going through the security recommendations on machines to try and bring our exposure score down.
I realise that inactive machines are counted against the score because they could still exhibit the same configuration flaws in their dormant state which will need addressing. I have noticed however, that after a new instance of a machine which is now active, say after an upgrade, or re-image, the inactive version that still resides in the list due to the data retention policy is also counted against the exposure score too. The inactive machine contains the old security recommendations that have now been fixed by the upgrade.
Can MS allow us to toggle off these old machines if there is a newer version in the list?