Share via

How to remove a unused device from Device Inventory in Microsoft Defender

Mohsen Akhavan 936 Reputation points
2024-01-27T00:37:57.5666667+00:00

I have two problems with the Device Inventory in Microsoft Defender. Issue 1: I onboarded a device with the onboard script and then I changed the computer name. Now, I saw both of the computer names in the list of devices. Issue 2: I had an unused device that I ran offboard script and also excluded from the devices list but it's in the device inventory. Based on my research, there is a data retention policy. I want to know how long is this policy. Also, I think this issue has a side effect on security scores.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,233 questions
Accepted answer
  1. Akshay-MSFT 17,006 Reputation points Microsoft Employee
    2024-01-29T08:04:56.03+00:00

    @Mohsen Akhavan

    Thank you for your time and patience, PFB answers inline to your queries and feel free comment if you see any discrepancies in my understanding.

    Issue 1: I onboarded a device with the onboard script and then I changed the computer name. Now, I saw both of the computer names in the list of devices.

    • This is an expected behavior,

    When a device was reinstalled or renamed, a new device entity is generated in Microsoft Defender XDR for reinstalled or renamed devices. The previous device entity remains, with an 'Inactive' status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.

    Issue 2: I had an unused device that I ran offboard script and also excluded from the devices list but it's in the device inventory. Based on my research, there is a data retention policy. I want to know how long is this policy. Also, I think this issue has a side effect on security scores.

    • If the device was offboarded, it still appears in devices list. After seven days, the device health state should change to inactive.

    As per Microsoft's data retention policy data from Microsoft Defender for Endpoint is retained for 180 days, visible across the portal. However, in the advanced hunting investigation experience, it's accessible via a query for a period of 30 days.

    Based on the investigation, I was able to find that in both the situation devices become inactive. The following actions taken on a device can cause a device to be categorized as inactive:

    • Device isn't in use
    • Device was reinstalled or renamed
    • Device was offboarded
    • Device isn't sending signals

    Inactive state of the device remains until the retention period of the defender is completed.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest