MDE (previous MDATP) best practice before format a pc

Andrea Pasquali 21 Reputation points
2022-09-03T20:33:58.143+00:00

Hello there,

I'm looking for best practices about MDE.
I'm used to format machines with the same name machine on AD/AAD, but I'm facing some troubles on MDE console.
The question is: performing a offboarding from MDE as described:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machines?view=o365-worldwide

How long I've to wait to delete the machine from AD/AAD for performing a fresh new OS installation with the same machine name?

Example: machine name on domain: Domain\machine1.
I need to perform an MDE offboarding procedure, and then format machine1 to assign the machine to a new user.

237542-image.png

The goal is avoid double entries on MDE (security.microsoft.com) console. Thanks in advance

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,218 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andrew Blumhardt 6,981 Reputation points Microsoft Employee
    2022-09-05T04:33:15.333+00:00

    MDE devices actually report in using a device ID. MDE does not prevent using duplicate machine names. You can have two or more devices reporting under the same name but using two IDs (you will see the device listed twice).

    When a device stops reporting to MDE you have to wait for the data to time out to drop from view. That is 7-30 days depending on the view duration. There currently is no option to hide or drop a device from the views. This will result in devices showing up twice for a number of days after a reimage or re-onboarding. One workaround is to tag any duplicate or decommissioned devices and drop that tag using a view filter.

  2. Limitless Technology 37,526 Reputation points
    2022-09-06T07:33:56.28+00:00

    Hello there,

    To answer this "the goal is avoid double entries on MDE (security.microsoft.com) console"

    MDE data only includes data from computers that have been active in the last 30 days.

    Microsoft doesn't provide the ability to remove devices because it's extremely dangerous. If an attacker would get permissions on your cloud instances, he could remove all his tracks.

    You can tag the device and create a machine group based on that tag. Within device inventory, you can then filter out the inactive machine group.

    If old entries of devices that are re-imaged would be removed, the old data of the device would be lost. That's a huge security risk

    You can find more discussion about this topic from here https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/must-be-able-to-delete-duplicate-orphaned-devices-from-m365/m-p/2296667

    I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

    -------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--