Forum Discussion
It can take up to 48 hours for a URL or IP address to be blocked on a device.
https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain?view=o365-worldwide - 48 hours?
Thats nuts why would a company purchase this is you can't implement, or rollback change for 2 days?
What if you're getting attacked and need to stop remote machines connecting to an IP\Domain. 2 hours to stop and attack?
Surely there is a way to force this.
1 Reply
Hi, according to Microsoft documentation, the “up to 48 hours” reminder indicates the worst case for: offline or infrequently connecting devices, which take until they check in to download new blocking indicators, and portal UI update latency, i.e., how long it takes the portal Defender to show updated status (Microsoft Learn).
In practice, however, healthy, online devices check in with the Defender cloud every 90-120 minutes, so most custom IPs/URLs are effectively blocked in less than 2 hours (Microsoft Learn), while the portal UI may still reflect changes with 24-48 hours delay, but endpoints already block much sooner.
How to force or accelerate blocking enforcement:
Manual policy sync from the Defender portal - in the portal: Devices > select device > Actions > Policy sync. The device applies the new policy in about 10 minutes (Microsoft Learn).
Remote sync via Intune - in Microsoft Intune admin center: Devices > All devices > select device > Sync. Intune-managed devices normally check in every 90 minutes to update policies.
