Issue related to Defender ATP connection status updates within Intune

Question

Hey guys, does anyone know how often the Defender ATP connection status updates within Intune? I notice it is not real-time, if not how often should it be syncing?

Posted by Sam Vaughey in HTMD FB Group

in progress 0
Vidya M A 2022-03-16T12:12:59+05:30 2 Answers 39 views 0

Answers ( 2 )

    0
    2022-03-16T12:20:25+05:30

    Replied by Sam Vaughey
    Author

    Is there any documentation on it to give to a customer etc

    Replied by Noel Fairclough

    Sam Vaughey This is what we found – in here
    https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding

    under “Known issues with non-compliance,” it mentions the device being compliant by “OrgID” but is not compliant by “SenseIsRunning”.

    I didn’t actually work on this issue, my colleague did – but the issue we had was we onboarded via SCCM, configured policy by SCCM. SCCM knew the endpoint was compliant, but the ATP tenancy/portal didn’t.

    We let it go for 24hrs, and pretty much 24hrs on the dot, we started seeing machines show up as compliant in the portal. Not all of them at the same time, just a lot more than previously. They eventually all trickled in.

    0
    2022-03-16T12:17:03+05:30

    Replied by Andy Andorfer
    Hi, you mean just the status indication?
    That Def ATP is correctly connected to Intune? Or the Device Compliance after pushing configs to Def ATP?

    Replied by Sam Vaughey
    Author
    Yes its configured I am just curious to know how often it updates the console status

    Replied by Noel Fairclough

    It’s every 24hrs+. We’ve just had a customer with this exact same issue.

    ATP Policies configured in SCCM. SCCM reporting compliance, you can also see in the Event Viewer logs on the endpoints that actions were being audited/triggered, however,

    The ATP portal says the device is not configured and still makes recommendations to turn things on like Attack Surface Reduction, etc.

    Try rebooting the endpoint to speed things up, but we found that after 24hrs it started to populate with clients saying they were properly configured.

Leave an answer

Sorry, you do not have a permission to answer to this question .