SOLVED

MUST be able to delete duplicate/orphaned devices from M365 Security Center

%3CLINGO-SUB%20id%3D%22lingo-sub-2296667%22%20slang%3D%22en-US%22%3EMUST%20be%20able%20to%20delete%20duplicate%2Forphaned%20devices%20from%20M365%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2296667%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20about%202-3%20weeks%20into%20evaluating%20Microsoft%20Defender%20for%20Endpoint%2C%20and%20so%20far%20have%20about%204%20Windows%2010%20devices%20onboarded%20and%20managed%20through%20InTune%20policies.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20of%20the%20test%20machines%20was%20a%20fairly%20fresh%20build%20(1903)%20of%20Windows%2010%20when%20it%20was%20onboarded.%20As%20such%20it%20generated%20over%20900%2B%26nbsp%3Bvulnerabilities%20in%20TVM.%20However%2C%20during%20the%20course%20of%20the%20next%20day%20or%20two%20as%20it%20got%20itself%20patched%20all%20the%20way%20to%2020H2%20it%20then%20for%20some%20reason%20generated%20a%20duplicate%20device%20in%20the%20M365%20portal%20-%20with%20exactly%20the%20same%26nbsp%3BDevice%20AAD%20id%20-%20currently%20both%20the%20%22old%22%20and%20%22new%22%20devices%20are%20showing%20as%20Active%205%20days%20later.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20first%20of%20all%2C%20this%20a%20nightmare%20that%20the%20duplicate%20device%20was%20created%20in%20the%20first%20place%20with%20the%20same%20Device%20AAD%20id%20-%20so%20what%20happens%20when%20one%20of%20my%20customer's%20networks%20gets%20upgraded%20with%20500%20Windows%2010%20devices%20from%20version%20X%20to%2020H2%20-%20are%20there%20going%20to%20be%20500%20duplicate%20devices%20created%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20read%20lots%20of%20articles%20yesterday%20about%20people%20seeing%20this%20issue%20as%20far%20back%20as%202018%20where%20they%20just%20need%20to%20be%20able%20to%20lance%20out%20a%20given%20machine%20or%20machines(s)%20for%20whatever%20reason%20from%20the%20database%20to%20keep%20everything%20tidy.%20I%20spent%20hours%20looking%20for%20a%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20180%20day%20Retention%20period%20set.%20I'm%20not%20waiting%206%20months%20for%20my%20database%20to%20clean%20itself%20up%20due%20to%20a%20bug%20in%20the%20platform%2C%20you've%20got%20to%20be%20kidding!%20Given%20that%20this%20has%20happened%20after%20only%20onboarding%204%20devices%20it's%20not%20leaving%20a%20good%20taste%20in%20my%20mouth.%20And%20how%20do%20I%20explain%20this%20to%20my%20customers%3F%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20real%20problem%20however%20is%20the%20severe%20impact%20this%20has%20on%20the%20TVM%20reporting.%20As%20I%20mentioned%2C%20the%20machine%20patched%20itself%20without%20issue%20all%20the%20way%20to%2020H2%2C%20as%20such%20all%20900%2B%20vulnerabilities%20have%20been%20addressed%20-%20like%20literally%20*all*%20of%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20when%20I%20look%20at%20any%20Dashboard%20in%20Threat%20%26amp%3B%20Vulnerability%20Management%20the%20stats%20are%20all%20completely%20skewed%20due%20to%20this%20device's%20statistics%20still%20being%20accounted%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiven%20the%20VALUE%20of%20the%20TVM%20data%2C%20which%20I%20think%20is%20BRILLIANT%20-%20to%20have%20the%20CONTEXT%20skewed%20due%20to%20this%20duplicate%20device%20bug%20but%20most%20importantly%20the%20lack%20of%20basic%20functionality%20to%20remove%20an%20orphaned%20machine%20to%20tidy%20things%20up%20is%20completely%20unacceptable.%20As%20the%20Administrator%20of%20my%20own%20estate%20(and%20my%20customers%20estates)%20I%20should%20be%20able%20to%20have%20the%20final%20say%20in%20terms%20of%20a%20judgement%20call%20on%20what%20devices%20should%20be%20listed%20in%20the%20portal.%20Waiting%20for%20a%20device%20to%20be%20Inactive%20for%206%20months%20to%20have%20it's%20clean-up%20routine%20run%20by%20the%20platform%20automatically%20isn't%20acceptable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Offboarding%20script%20workaround%20I've%20been%20reading%20about%20isn't%20going%20to%20cut%20it%20either%2C%20so%20please%20don't'%20suggest%20it.%20I%20tried%20it%20using%20the%20API%20explorer%20method%20and%20running%20the%20local%20Offboarding%20script%20on%20said%20machine%20yesterday.%20Neither%20method%20worked%20as%20both%20devices%2018%20hours%20later%20are%20still%20showing%20in%20the%20portal.%20This%20method%20also%20doesn't%20account%20for%20machines%20that%20(for%20whatever%20reason)%20will%20not%20be%20able%20to%20contact%20the%20portal%20to%20Check%20In%20and%20receive%20the%20Offboarding%20command.%20(Lost%20device%2C%20test%20device%2C%20corrupt%20device%2C%20BYOD%20-%20the%20list%20goes%20on)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo......%20Microsoft%20-%20please%2C%20please%2C%20please%2C%20please%20-%20can%20we%20get%20a%20Delete%20button%20against%20the%20device%20actions%20menu%20so%20that%20we%20can%20clean%20up%20our%20estate%20and%20keep%20our%20TVM%20figures%20accurate%20-%20otherwise%2C%20what%20is%20the%20point%20of%20any%20of%20the%20statistics%20and%20recommendations%20displayed%20if%20you%20can't%2Fhave%20already%20acted%20on%20them%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20when%20senior%20management%20ask%2C%20What's%20our%20posture%3F%20The%20answer%20would%20unfortunately%20still%20be%2C%20%22Dunno.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2451650%22%20slang%3D%22en-US%22%3ERe%3A%20MUST%20be%20able%20to%20delete%20duplicate%2Forphaned%20devices%20from%20M365%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2451650%22%20slang%3D%22en-US%22%3EI%20second%20this.%20Should%20be%20a%20very%20simple%20feature%20in%20order%20to%20clean%20up%20and%20manage%20our%20organizations%20own%20devices%2Fassets%20in%20the%20Defender%20portal.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2460701%22%20slang%3D%22en-US%22%3ERe%3A%20MUST%20be%20able%20to%20delete%20duplicate%2Forphaned%20devices%20from%20M365%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2460701%22%20slang%3D%22en-US%22%3EI%20came%20here%20to%20say%20just%20this.%20I%20can't%20fathom%20how%20I'm%20supposed%20to%20manage%20our%20security%20posture%20with%20this%20product%3F%20I%20thought%20I%20must%20have%20been%20doing%20something%20wrong%20or%20missing%20something%2C%20since%20I%20wasn't%20able%20to%20simply%20remove%20a%20stale%20device%20from%20my%20portal%20without%20going%20through%20an%20offboarding%20process%20that%20is%20so%20limited%20in%20the%20possibility%20of%20success%20that%20I%20can't%20even%20believe%20it's%20offered%20as%20the%20solution%20(along%20with%20waiting%20180%20days%20for%20the%20DB%20to%20be%20cleaned)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2461211%22%20slang%3D%22en-US%22%3ERe%3A%20MUST%20be%20able%20to%20delete%20duplicate%2Forphaned%20devices%20from%20M365%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2461211%22%20slang%3D%22en-US%22%3ECan%20you%20refer%20to%20the%20following%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fhow-to-use-tagging-effectively-part-1%2Fba-p%2F1964058%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fhow-to-use-tagging-effectively-part-1%2Fba-p%2F1964058%3C%2FA%3E%3C%2FLINGO-BODY%3E
New Contributor

Good morning,

 

I am about 2-3 weeks into evaluating Microsoft Defender for Endpoint, and so far have about 4 Windows 10 devices onboarded and managed through InTune policies.

 

One of the test machines was a fairly fresh build (1903) of Windows 10 when it was onboarded. As such it generated over 900+ vulnerabilities in TVM. However, during the course of the next day or two as it got itself patched all the way to 20H2 it then for some reason generated a duplicate device in the M365 portal - with exactly the same Device AAD id - currently both the "old" and "new" devices are showing as Active 5 days later.

 

So first of all, this a nightmare that the duplicate device was created in the first place with the same Device AAD id - so what happens when one of my customer's networks gets upgraded with 500 Windows 10 devices from version X to 20H2 - are there going to be 500 duplicate devices created???

 

I read lots of articles yesterday about people seeing this issue as far back as 2018 where they just need to be able to lance out a given machine or machines(s) for whatever reason from the database to keep everything tidy. I spent hours looking for a solution.

 

We have a 180 day Retention period set. I'm not waiting 6 months for my database to clean itself up due to a bug in the platform, you've got to be kidding! Given that this has happened after only onboarding 4 devices it's not leaving a good taste in my mouth. And how do I explain this to my customers????

 

The real problem however is the severe impact this has on the TVM reporting. As I mentioned, the machine patched itself without issue all the way to 20H2, as such all 900+ vulnerabilities have been addressed - like literally *all* of them.

 

However, when I look at any Dashboard in Threat & Vulnerability Management the stats are all completely skewed due to this device's statistics still being accounted for.

 

Given the VALUE of the TVM data, which I think is BRILLIANT - to have the CONTEXT skewed due to this duplicate device bug but most importantly the lack of basic functionality to remove an orphaned machine to tidy things up is completely unacceptable. As the Administrator of my own estate (and my customers estates) I should be able to have the final say in terms of a judgement call on what devices should be listed in the portal. Waiting for a device to be Inactive for 6 months to have it's clean-up routine run by the platform automatically isn't acceptable.

 

The Offboarding script workaround I've been reading about isn't going to cut it either, so please don't' suggest it. I tried it using the API explorer method and running the local Offboarding script on said machine yesterday. Neither method worked as both devices 18 hours later are still showing in the portal. This method also doesn't account for machines that (for whatever reason) will not be able to contact the portal to Check In and receive the Offboarding command. (Lost device, test device, corrupt device, BYOD - the list goes on)

 

So...... Microsoft - please, please, please, please - can we get a Delete button against the device actions menu so that we can clean up our estate and keep our TVM figures accurate - otherwise, what is the point of any of the statistics and recommendations displayed if you can't/have already acted on them??

 

So when senior management ask, What's our posture? The answer would unfortunately still be, "Dunno."

 

Thank you.

5 Replies
I second this. Should be a very simple feature in order to clean up and manage our organizations own devices/assets in the Defender portal.
I came here to say just this. I can't fathom how I'm supposed to manage our security posture with this product? I thought I must have been doing something wrong or missing something, since I wasn't able to simply remove a stale device from my portal without going through an offboarding process that is so limited in the possibility of success that I can't even believe it's offered as the solution (along with waiting 180 days for the DB to be cleaned)
best response confirmed by James_Gillies (New Contributor)
Solution
AFAIK, TVM data only includes data from computers that have been active in the last 30 days.

Microsoft doesn't provide the ability to remove devices because it's extremely dangerous. If an attacker would get permissions on your cloud instances, he could remove all his tracks. The devices are retained for forensic purposes.

Best options it to tag an offboarded machine and create an 'Inactive' machine group for it
Hey Thijs,

Yes in fact, this is exactly what I did. I created a new Machine Group called "Orphaned Machines" and a corresponding Tag for it. I then created a new Automatic Remediation rule (for that Tag) and moved it to "Rank 1" so that my Auto-Remediation policies don't touch them. (As a machine may have multiple Tags attached to it)

Thanks very much, James