Blog Post

Microsoft Defender for Endpoint Blog
1 MIN READ

Optimized reporting latency and expedite mode

Tomer Brand's avatar
Tomer Brand
Icon for Microsoft rankMicrosoft
Aug 16, 2018

In the past few months, we worked to optimize telemetry reporting and considerably reduce latency for Windows 10 versions 1709, 1803, and the upcoming Windows 10 version.

 

As a result, we’ve adjusted the default reporting latency for Windows Defender ATP to achieve a better balance between speed and CPU performance. This leaves the expedite mode as a configuration option for reporting frequency redundant. This option no longer affects the Windows Defender ATP sensor, so you can leave it as-is. In the future, we might retire this setting altogether or we might define it differently in the backend. In any case, we will definitely notify you of subsequent changes.

 

Thank you,

Windows Defender ATP team

Published Aug 16, 2018
Version 1.0
  • BrandonSpiteri's avatar
    BrandonSpiteri
    Copper Contributor
    Jul 03, 2019

    I would like to know more about ATP file search using a hash. When I search for a particular file has, the output would be a list of machines containing the specific file.

     

    I am using this feature in order to confirm that a vulnerable driver (namely MicTrayDebugger) is really being updated after the latest driver is pushed via SCCM.

     

    Something we noticed was that even though the updated driver is reported to be successfully deployed from SCCM, the workstation would still feature in the list from ATP 'old driver' search. I assume this is due to a latency which exist in updating the ATP file database from telemetry. How much is the latency in this case? And is there a work around for this?

  • Tomer Brand's avatar
    Tomer Brand
    Icon for Microsoft rankMicrosoft
    Jul 03, 2019

    ATP search for footprint of the files - this also covers what was on the endpoint in the past. 

    • Mostly design for security investigations where the SOC analyst would like to apply time travel to the attack start time and track it from there

    If you are interested in tracking vulnerabilities, have you tried https://securitycenter.microsoft.com/tvm_dashboard ?

     

    Thanks,

    Tomer

  • K6EEjeSsH's avatar
    K6EEjeSsH
    Copper Contributor
    Jul 04, 2019

    This option no longer affects the Windows Defender ATP sensor,

    "This option" meaning the "latency" registry key ?

    If so, why is the local onboarding script still explicitly creating that key ?

    WindowsDefenderATPLocalOnboardingScript.cmd:

    REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v latency /t REG_SZ /f /d "Demo" >NUL 2>&1

  • UseCase64's avatar
    UseCase64
    Copper Contributor
    Dec 04, 2020

    Does any one have information as to the current status of this setting, which is still showing in the ATP onboarding policy in Configuration Manager?

     

    Thank you

  • En111_'s avatar
    En111_
    Brass Contributor
    Mar 16, 2021

    Would be good to know the status of this, as the onboarding process has led me to this post. In 2021 it still shows as an option