Microsoft Defender for Endpoint (MDE) must enable Hide potential duplicate device records.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-275981 | SRG-APP-000279 | MSDE-00-000600 | SV-275981r1119731_rule | 2025-07-15 | 1 |
| Description |
|---|
| Malicious code protection mechanisms include, but are not limited to, antivirus and malware detection software. To minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. When turned on, this setting will hide duplications that might occur for the following reasons: - Devices that were discovered more than once. - Discovery of onboarded devices. - Unintentionally discovered onboarded devices. These duplications will be hidden from multiple experiences in the portal to create a more accurate view of the device inventory. The affected areas in the portal include the Device Inventory, Microsoft Defender Vulnerability Management screens, and Public API for machines data. These devices will still be viewable in global search, advanced hunting, and alert and incidents pages. |
| ℹ️ Check |
|---|
| Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Hide potential duplicate device records" is set to "On". If the slide bar for "Hide potential duplicate device records" is not set to "On", this is a finding. |
| ✔️ Fix |
|---|
| Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Hide potential duplicate device records" to "On". |