Forum Discussion
Inconsistent MSATP "Platform" reporting
I have a Linux SLES installation with MDAP Platform version 101.98.64 (updated about an hour ago).
The "Device health status" on the device page in Defender still tells me it's version 101.98.05 and the software inventory for that server tells me the version is 101.98.64.0. The advanced hunting
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2030" and (OSPlatform == "macOS" or OSPlatform == "Linux")
| extend avdata=parsejson(Context)
| extend AVProductVersion = tostring(avdata[0][0])
| project DeviceName, AVProductVersion
| order by AVProductVersion
query returns "101.98.05" for this server.
So, now I have 3 different version numbers in 4 different places - is there any documentation how these information are synchronized? How log do I need to wait after an update until I get a consistent reporting about the version?
The reason why I need that:
I have scheduled updates for MDATP on my servers and I want to see, that these updates were successfull (the result of the update process - so all servers should have the same version number for MDATP). Currently I see an old version number on one server; I click on the software inventory tab which shows me different old version number; I log into the server and execute mdatp health - and I see that the server is already up to date ... time wasted.
Such inconsistencies do not result in "trust" regarding the software inventory page of the device. In fact such inconsistencies without a clear communication about the expected maximum latency between an update on the server and the update of the inventory undermines all my trust in the product.