Defender for Endpoint alert delays

%3CLINGO-SUB%20id%3D%22lingo-sub-1924975%22%20slang%3D%22en-US%22%3EDefender%20for%20Endpoint%20alert%20delays%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1924975%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20rolling%20out%20defender%20for%20endpoint%20to%20our%20big%20windows%20estate.%20The%20first%20batch%20of%20on%20boarding%20and%20subsequent%20testing%20is%20showing%20huge%20delays%20on%20any%20alerts%20showing%20in%20the%20portal%20(6%2B%20hours)%20Has%20anyone%20had%20any%20similar%20experiences%20when%20configuring%20and%20rolling%20out%20Defender%20for%20Endpoint%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1928672%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20alert%20delays%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1928672%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172366%22%20target%3D%22_blank%22%3E%40Craig%20Burnett%3C%2FA%3Emultiply%20hours%20is%20not%20fine.%20I%20see%20alerts%20mostly%20popping%20up%20after%202%20minutes%20of%20delay.%20Maybe%20this%20was%20caused%20by%20delays%20from%20your%20proxy%20to%20the%20backends%3F%20Check%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fconfigure-proxy-internet%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%2C%20to%20see%20what%20connections%20endpoints%20make.%20There%20is%20also%20a%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindows-itpro-docs%2Fraw%2Fpublic%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fdownloads%2Fmdatp-urls.xlsx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Esheet%3C%2FA%3E%20with%20all%20IPs%20and%20connections%20which%20Defender%20does.%20Make%20sure%2C%20there%20was%20no%20bottleneck%20during%20deployment%20phase%20to%20these%20IPs%2FDNS%2FURLs.%20If%20you%20open%20the%20sheet%2C%20go%20to%20the%20left%20side%20to%20see%20all%20URLs.%20Maybe%20these%20devices%20had%20problems%20communicating%20with%20backend.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor
Hello,

We are rolling out defender for endpoint to our big windows estate. The first batch of on boarding and subsequent testing is showing huge delays on any alerts showing in the portal (6+ hours) Has anyone had any similar experiences when configuring and rolling out Defender for Endpoint?
2 Replies

@Craig Burnettmultiply hours is not fine. I see alerts mostly popping up after 2 minutes of delay. Maybe this was caused by delays from your proxy to the backends? Check this here, to see what connections endpoints make. There is also a sheet with all IPs and connections which Defender does. Make sure, there was no bottleneck during deployment phase to these IPs/DNS/URLs. If you open the sheet, go to the left side to see all URLs. Maybe these devices had problems communicating with backend.

Just wanted to chime in and let you know that a customer of mine reported the same thing. They said MDfE was slow last week and were seeing huge delays in alerts