Issue related to Defender ATP connection status updates within Intune
Question
Hey guys, does anyone know how often the Defender ATP connection status updates within Intune? I notice it is not real-time, if not how often should it be syncing?
Posted by Sam Vaughey in HTMD FB Group
Answers ( 2 )
Replied by Sam Vaughey
Author
Is there any documentation on it to give to a customer etc
Replied by Noel Fairclough
Sam Vaughey This is what we found – in here
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding
under “Known issues with non-compliance,” it mentions the device being compliant by “OrgID” but is not compliant by “SenseIsRunning”.
I didn’t actually work on this issue, my colleague did – but the issue we had was we onboarded via SCCM, configured policy by SCCM. SCCM knew the endpoint was compliant, but the ATP tenancy/portal didn’t.
We let it go for 24hrs, and pretty much 24hrs on the dot, we started seeing machines show up as compliant in the portal. Not all of them at the same time, just a lot more than previously. They eventually all trickled in.
Replied by Andy Andorfer
Hi, you mean just the status indication?
That Def ATP is correctly connected to Intune? Or the Device Compliance after pushing configs to Def ATP?
Replied by Sam Vaughey
Author
Yes its configured I am just curious to know how often it updates the console status
Replied by Noel Fairclough
It’s every 24hrs+. We’ve just had a customer with this exact same issue.
ATP Policies configured in SCCM. SCCM reporting compliance, you can also see in the Event Viewer logs on the endpoints that actions were being audited/triggered, however,
The ATP portal says the device is not configured and still makes recommendations to turn things on like Attack Surface Reduction, etc.
Try rebooting the endpoint to speed things up, but we found that after 24hrs it started to populate with clients saying they were properly configured.