Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

MUST be able to delete duplicate/orphaned devices from M365 Security Center

Brass Contributor

Good morning,

 

I am about 2-3 weeks into evaluating Microsoft Defender for Endpoint, and so far have about 4 Windows 10 devices onboarded and managed through InTune policies.

 

One of the test machines was a fairly fresh build (1903) of Windows 10 when it was onboarded. As such it generated over 900+ vulnerabilities in TVM. However, during the course of the next day or two as it got itself patched all the way to 20H2 it then for some reason generated a duplicate device in the M365 portal - with exactly the same Device AAD id - currently both the "old" and "new" devices are showing as Active 5 days later.

 

So first of all, this a nightmare that the duplicate device was created in the first place with the same Device AAD id - so what happens when one of my customer's networks gets upgraded with 500 Windows 10 devices from version X to 20H2 - are there going to be 500 duplicate devices created???

 

I read lots of articles yesterday about people seeing this issue as far back as 2018 where they just need to be able to lance out a given machine or machines(s) for whatever reason from the database to keep everything tidy. I spent hours looking for a solution.

 

We have a 180 day Retention period set. I'm not waiting 6 months for my database to clean itself up due to a bug in the platform, you've got to be kidding! Given that this has happened after only onboarding 4 devices it's not leaving a good taste in my mouth. And how do I explain this to my customers????

 

The real problem however is the severe impact this has on the TVM reporting. As I mentioned, the machine patched itself without issue all the way to 20H2, as such all 900+ vulnerabilities have been addressed - like literally *all* of them.

 

However, when I look at any Dashboard in Threat & Vulnerability Management the stats are all completely skewed due to this device's statistics still being accounted for.

 

Given the VALUE of the TVM data, which I think is BRILLIANT - to have the CONTEXT skewed due to this duplicate device bug but most importantly the lack of basic functionality to remove an orphaned machine to tidy things up is completely unacceptable. As the Administrator of my own estate (and my customers estates) I should be able to have the final say in terms of a judgement call on what devices should be listed in the portal. Waiting for a device to be Inactive for 6 months to have it's clean-up routine run by the platform automatically isn't acceptable.

 

The Offboarding script workaround I've been reading about isn't going to cut it either, so please don't' suggest it. I tried it using the API explorer method and running the local Offboarding script on said machine yesterday. Neither method worked as both devices 18 hours later are still showing in the portal. This method also doesn't account for machines that (for whatever reason) will not be able to contact the portal to Check In and receive the Offboarding command. (Lost device, test device, corrupt device, BYOD - the list goes on)

 

So...... Microsoft - please, please, please, please - can we get a Delete button against the device actions menu so that we can clean up our estate and keep our TVM figures accurate - otherwise, what is the point of any of the statistics and recommendations displayed if you can't/have already acted on them??

 

So when senior management ask, What's our posture? The answer would unfortunately still be, "Dunno."

 

Thank you.

18 Replies
I second this. Should be a very simple feature in order to clean up and manage our organizations own devices/assets in the Defender portal.
I came here to say just this. I can't fathom how I'm supposed to manage our security posture with this product? I thought I must have been doing something wrong or missing something, since I wasn't able to simply remove a stale device from my portal without going through an offboarding process that is so limited in the possibility of success that I can't even believe it's offered as the solution (along with waiting 180 days for the DB to be cleaned)
best response confirmed by James_Gillies (Brass Contributor)
Solution
AFAIK, TVM data only includes data from computers that have been active in the last 30 days.

Microsoft doesn't provide the ability to remove devices because it's extremely dangerous. If an attacker would get permissions on your cloud instances, he could remove all his tracks. The devices are retained for forensic purposes.

Best options it to tag an offboarded machine and create an 'Inactive' machine group for it
Hey Thijs,

Yes in fact, this is exactly what I did. I created a new Machine Group called "Orphaned Machines" and a corresponding Tag for it. I then created a new Automatic Remediation rule (for that Tag) and moved it to "Rank 1" so that my Auto-Remediation policies don't touch them. (As a machine may have multiple Tags attached to it)

Thanks very much, James
In Device Inventory, all of the data associated with a machine is shown, except for DeviceID, which only shows on a .csv export. Very annoying.

We have a number of inactive devices, all with different DeviceIDs but the same DeviceName. This way I can tell that the devices are different. I can also go off of the Last Seen dates, as the latest date is obviously the current Active device. I find this issue arises after a device has been reimaged and reissued to another user.

I tried tagging an inactive device, but unless I'm missing something, tags and DeviceID don't show in the Security Recommendations Window or the .csv download of Exposed Devices either. So there's no way of knowing whether the alerts are for a duplicate device, or the current Active device.

I started off trying to fix issues with over 20 devices not being able to contact Defender. I then realised there were duplicates of reimaged devices. I then realised that one of those was a genuine issue with connection. Something I very nearly missed.

This isn't a feature, it's a glitch. It needs fixing.
I am not sure I understand the issue?
You can tag the device and create a machine group based on that tag. Within device inventory, you can then filter out the inactive machine group.

If old entries of devices that are reimaged would be removed, the old data of the device would be lost. That's a huge security risk?
The issue is that the TVM only shows device name, so you can't tell if the security recommendation is for a current or old device. It should just show the tags you applied in device inventory rather than just device name. I know you can tag and add to a machine group, but this seems like more effort than needs be.
TVM only takes into account devices which have been active in the last 30 days. So this shouldn't be that big of an issue IMO?
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tvm-security-recommendatio...
If it is, creating the machine group is your only option
I can't believe in 2022 this still isn't a thing. All the other major EDR vendors allow this function.
To suggest we filter around the absence of a basic function is absurd.
Can we get this basic functionality on the development roadmap?
This is still a bug and needs a fix.

@Abdul Farooque There is now an exclude device option that you can use on duplicate devices. Not perfect, but it is something (And duplicate device is a reason code, so MS does know this can be an issue)

Unbelievable that this bug / feature still exists here! There must be ability to manually remove stale devices from the Security portal Device Inventory. Filtering out and using some sort of device tags and groups just sounds like a work around in my opinion and unnecessary work. I don't understand how deleting devices can be security issue for real. This just sounds something that MS doesn't care to fix. I'm having a hard time explaining this to my customers because I've seen multiple solutions by different vendors and there is this simple feature in place.
And i will reply to myself and add that if preventing delete devices are part of security plan then it should be done differently. There should be way to delete devices but, they could go to some sort of deleted devices archive for X amount of time and you cannot delete them from there even with GA rights.

here to add, that I have this same issue, I have 1 macbook that has 50+ entries in TVM and I can not delete it.

It's 2023 and this is still broken. I'd pay good money to listen in on a design call, just to know how hard they must be laughing at the end user.
Sitting with the same issue. I have computers showing Intune config issues on my dashboard, but they are all duplicate PC's. Filtering them out is not a acceptable solution. I do understand that they want to keep an audit trail if an attacker gets access to your system, but then make the system more secure and less frustrating.

I found the option to exclude devices option, but can this be done by script? Is there an API for that?

1 best response

Accepted Solutions
best response confirmed by James_Gillies (Brass Contributor)
Solution
AFAIK, TVM data only includes data from computers that have been active in the last 30 days.

Microsoft doesn't provide the ability to remove devices because it's extremely dangerous. If an attacker would get permissions on your cloud instances, he could remove all his tracks. The devices are retained for forensic purposes.

Best options it to tag an offboarded machine and create an 'Inactive' machine group for it

View solution in original post