Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Optimized reporting latency and expedite mode
Published Aug 16 2018 01:05 AM 9,627 Views
Microsoft

In the past few months, we worked to optimize telemetry reporting and considerably reduce latency for Windows 10 versions 1709, 1803, and the upcoming Windows 10 version.

 

As a result, we’ve adjusted the default reporting latency for Windows Defender ATP to achieve a better balance between speed and CPU performance. This leaves the expedite mode as a configuration option for reporting frequency redundant. This option no longer affects the Windows Defender ATP sensor, so you can leave it as-is. In the future, we might retire this setting altogether or we might define it differently in the backend. In any case, we will definitely notify you of subsequent changes.

 

Thank you,

Windows Defender ATP team

7 Comments
Copper Contributor
Great news, thanks Tomer!
Copper Contributor

I would like to know more about ATP file search using a hash. When I search for a particular file has, the output would be a list of machines containing the specific file.

 

I am using this feature in order to confirm that a vulnerable driver (namely MicTrayDebugger) is really being updated after the latest driver is pushed via SCCM.

 

Something we noticed was that even though the updated driver is reported to be successfully deployed from SCCM, the workstation would still feature in the list from ATP 'old driver' search. I assume this is due to a latency which exist in updating the ATP file database from telemetry. How much is the latency in this case? And is there a work around for this?

Microsoft

ATP search for footprint of the files - this also covers what was on the endpoint in the past. 

  • Mostly design for security investigations where the SOC analyst would like to apply time travel to the attack start time and track it from there

If you are interested in tracking vulnerabilities, have you tried https://securitycenter.microsoft.com/tvm_dashboard ?

 

Thanks,

Tomer

Copper Contributor

This option no longer affects the Windows Defender ATP sensor,

"This option" meaning the "latency" registry key ?

If so, why is the local onboarding script still explicitly creating that key ?

WindowsDefenderATPLocalOnboardingScript.cmd:

REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v latency /t REG_SZ /f /d "Demo" >NUL 2>&1

Copper Contributor

Does any one have information as to the current status of this setting, which is still showing in the ATP onboarding policy in Configuration Manager?

 

Thank you

Brass Contributor

Would be good to know the status of this, as the onboarding process has led me to this post. In 2021 it still shows as an option

Microsoft

Having happen to be able to test this today I can confirm the value made no difference in my environment. I would say however for scripted onboarding at scale, take a look at the VDI onboarding scripts.  Onboard non-persistent virtual desktop infrastructure (VDI) devices | Microsoft Docs as it doesn't require interaction and checks 

Version history
Last update:
‎Aug 16 2018 01:05 AM
Updated by: