Title

Microsoft Defender for Endpoint (MDE) must enable Hide potential duplicate device records. (Cat II impact)

Discussion

Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. When turned on, this setting will hide duplications that might occur for the following reasons: - Devices that were discovered more than once. - Discovery of onboarded devices. - Unintentionally discovered onboarded devices. These duplications will be hidden from multiple experiences in the portal to create a more accurate view of the device inventory. The affected areas in the portal include the Device Inventory, Microsoft Defender Vulnerability Management screens, and Public API for machines data. These devices will still be viewable in global search, advanced hunting, and alert and incidents pages.

Check Content

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Hide potential duplicate device records" is set to "On". If the slide bar for "Hide potential duplicate device records" is not set to "On", this is a finding.

Fix Text

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Hide potential duplicate device records" to "On".

Additional Identifiers

Rule ID: SV-275981r1119731_rule

Vulnerability ID: V-275981

Group Title: SRG-APP-000279

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.