I have an issue with duplicate devices in Defender which I have now found out is a feature. When devices are reimaged for reissue, the old machine stays on the list in the Device Inventory for a period of time. I have a couple of questions though, and I'm hoping someone can help!
The duplicate devices have a different DeviceID but they all have the same DeviceName. Can anyone tell me if there is a way to show the DeviceID in the Device Inventory screen in Defender? Maybe a filter or something? I only found out about this when I hit export on the Device Inventory list and saw the extra column. It would be helpful to see the DeviceID on screen rather than have to export to .csv.
Does anyone know where the DeviceID is sourced from? Is it Azure AD, AD, or just a Defender thing? It would be good to know this, so that I can check the source and confirm that the devices I think are current really are.
Lastly, the duplicates are impacting our Security Recommendations. I spent a couple of weeks looking at patching devices that are actually old images. I can tag these devices in the Device Inventory as DuplicateDevice or something similar, but these tags are not transmitted over to Security Recommendations (why not?!?). I have read about machine groups and adding these devices to a DuplicateDevice group, but this seems to be a bit long-winded. Is there an easier way to move tags from Device Inventory so that they also show in the Security Recommendations section?