This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 85%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Hello there,
I'm looking for best practices about MDE.
I'm used to format machines with the same name machine on AD/AAD, but I'm facing some troubles on MDE console.
The question is: performing a offboarding from MDE as described:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/offboard-machines?view=o365-worldwide
How long I've to wait to delete the machine from AD/AAD for performing a fresh new OS installation with the same machine name?
Example: machine name on domain: Domain\machine1.
I need to perform an MDE offboarding procedure, and then format machine1 to assign the machine to a new user.
The goal is avoid double entries on MDE (security.microsoft.com) console. Thanks in advance
MDE devices actually report in using a device ID. MDE does not prevent using duplicate machine names. You can have two or more devices reporting under the same name but using two IDs (you will see the device listed twice).
When a device stops reporting to MDE you have to wait for the data to time out to drop from view. That is 7-30 days depending on the view duration. There currently is no option to hide or drop a device from the views. This will result in devices showing up twice for a number of days after a reimage or re-onboarding. One workaround is to tag any duplicate or decommissioned devices and drop that tag using a view filter.
Hello there,
To answer this "the goal is avoid double entries on MDE (security.microsoft.com) console"
MDE data only includes data from computers that have been active in the last 30 days.
Microsoft doesn't provide the ability to remove devices because it's extremely dangerous. If an attacker would get permissions on your cloud instances, he could remove all his tracks.
You can tag the device and create a machine group based on that tag. Within device inventory, you can then filter out the inactive machine group.
If old entries of devices that are re-imaged would be removed, the old data of the device would be lost. That's a huge security risk
You can find more discussion about this topic from here https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/must-be-able-to-delete-duplicate-orphaned-devices-from-m365/m-p/2296667
I hope this information helps. If you have any questions please let me know and I will be glad to help you out.
-------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--