Apr 27 2021 01:46 AM - edited Apr 27 2021 02:14 AM
Good morning,
I am about 2-3 weeks into evaluating Microsoft Defender for Endpoint, and so far have about 4 Windows 10 devices onboarded and managed through InTune policies.
One of the test machines was a fairly fresh build (1903) of Windows 10 when it was onboarded. As such it generated over 900+ vulnerabilities in TVM. However, during the course of the next day or two as it got itself patched all the way to 20H2 it then for some reason generated a duplicate device in the M365 portal - with exactly the same Device AAD id - currently both the "old" and "new" devices are showing as Active 5 days later.
So first of all, this a nightmare that the duplicate device was created in the first place with the same Device AAD id - so what happens when one of my customer's networks gets upgraded with 500 Windows 10 devices from version X to 20H2 - are there going to be 500 duplicate devices created???
I read lots of articles yesterday about people seeing this issue as far back as 2018 where they just need to be able to lance out a given machine or machines(s) for whatever reason from the database to keep everything tidy. I spent hours looking for a solution.
We have a 180 day Retention period set. I'm not waiting 6 months for my database to clean itself up due to a bug in the platform, you've got to be kidding! Given that this has happened after only onboarding 4 devices it's not leaving a good taste in my mouth. And how do I explain this to my customers????
The real problem however is the severe impact this has on the TVM reporting. As I mentioned, the machine patched itself without issue all the way to 20H2, as such all 900+ vulnerabilities have been addressed - like literally *all* of them.
However, when I look at any Dashboard in Threat & Vulnerability Management the stats are all completely skewed due to this device's statistics still being accounted for.
Given the VALUE of the TVM data, which I think is BRILLIANT - to have the CONTEXT skewed due to this duplicate device bug but most importantly the lack of basic functionality to remove an orphaned machine to tidy things up is completely unacceptable. As the Administrator of my own estate (and my customers estates) I should be able to have the final say in terms of a judgement call on what devices should be listed in the portal. Waiting for a device to be Inactive for 6 months to have it's clean-up routine run by the platform automatically isn't acceptable.
The Offboarding script workaround I've been reading about isn't going to cut it either, so please don't' suggest it. I tried it using the API explorer method and running the local Offboarding script on said machine yesterday. Neither method worked as both devices 18 hours later are still showing in the portal. This method also doesn't account for machines that (for whatever reason) will not be able to contact the portal to Check In and receive the Offboarding command. (Lost device, test device, corrupt device, BYOD - the list goes on)
So...... Microsoft - please, please, please, please - can we get a Delete button against the device actions menu so that we can clean up our estate and keep our TVM figures accurate - otherwise, what is the point of any of the statistics and recommendations displayed if you can't/have already acted on them??
So when senior management ask, What's our posture? The answer would unfortunately still be, "Dunno."
Thank you.
Jun 15 2021 06:09 PM
Jun 17 2021 02:09 PM
Jun 17 2021 05:53 PM
Jun 21 2021 04:32 AM
SolutionJun 23 2021 02:03 AM
Aug 24 2021 01:52 PM
Aug 26 2021 01:10 AM
Aug 26 2021 01:55 AM
Aug 30 2021 01:11 AM
Feb 14 2022 12:38 PM
Mar 11 2022 01:17 PM
Apr 30 2022 12:14 PM
@Abdul Farooque There is now an exclude device option that you can use on duplicate devices. Not perfect, but it is something (And duplicate device is a reason code, so MS does know this can be an issue)
May 12 2022 03:29 AM
May 15 2022 11:07 PM
Sep 16 2022 06:56 AM
here to add, that I have this same issue, I have 1 macbook that has 50+ entries in TVM and I can not delete it.
Apr 21 2023 01:58 PM
May 03 2023 12:23 AM
Jul 17 2023 01:15 AM - edited Jul 17 2023 06:01 AM
I found the option to exclude devices option, but can this be done by script? Is there an API for that?
Jun 21 2021 04:32 AM
Solution