SOLVED

Microsoft Defender for Endpoint - Agent inventory updates

%3CLINGO-SUB%20id%3D%22lingo-sub-2374563%22%20slang%3D%22en-US%22%3EMicrosoft%20Defender%20for%20Endpoint%20-%20Agent%20inventory%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2374563%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20new%20to%20Microsoft%20Defender%20for%20Endpoint.%20Recently%20I%20enabled%20Microsoft%20Defender%20for%20Endpoint%20and%20onboarded%20test%20devices.%20In%20the%20device%20inventory%20on%20%22Last%20Device%20update%22%20there%20are%20(i)%20which%20states%20-%3C%2FP%3E%3CP%3EA%20device%20typically%20sends%20a%20full%20report%20every%2024%20hours.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Eduards_0-1621577814991.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F282538i27B93AAC4D064091%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Eduards_0-1621577814991.png%22%20alt%3D%22Eduards_0-1621577814991.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhich%20means%20that%20for%20example%20I%20have%20security%20recommendations%20to%20resolve.%20I%20create%20and%20deploy%20policy%20to%20test%20workstation.%20And%20only%20after%2024%20hours%20I%20will%20see%20that%20recommendations%20is%20solved..%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20a%20way%20to%20enforce%20client%20to%20send%20reports%20immediately%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398844%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Endpoint%20-%20Agent%20inventory%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398844%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F715089%22%20target%3D%22_blank%22%3E%40Eduards%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F63582%22%20target%3D%22_blank%22%3E%40Heike%20Ritter%3C%2FA%3E%26nbsp%3Bmay%20know%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2410665%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Endpoint%20-%20Agent%20inventory%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2410665%22%20slang%3D%22en-US%22%3ENo%2C%20you%20will%20see%20those%20applied%20mitigations%20much%20faster.%20The%20device%20sends%20various%20data%20throughout%20the%20day%2C%20but%20not%20everything%20all%20the%20time%20as%20one%20big%20chunk.%20There%20used%20to%20be%20a%20setting%20to%20put%20a%20device%20in%20a%20%22POC%20mode%22%20(only%20for%20testing%20purposes)%20to%20expedite%20sending%20events%20-%20not%20sure%20this%20set%20of%20data%20would%20be%20part%20of%20it%20though.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2411490%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Endpoint%20-%20Agent%20inventory%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2411490%22%20slang%3D%22en-US%22%3EHello%2C%20thank%20you%20for%20the%20answer.%3C%2FLINGO-BODY%3E
New Contributor

Hello,

 

I'm new to Microsoft Defender for Endpoint. Recently I enabled Microsoft Defender for Endpoint and onboarded test devices. In the device inventory on "Last Device update" there are (i) which states -

A device typically sends a full report every 24 hours.

 

Eduards_0-1621577814991.png

 

Which means that for example I have security recommendations to resolve. I create and deploy policy to test workstation. And only after 24 hours I will see that recommendations is solved..?

Is there a way to enforce client to send reports immediately ?

3 Replies
best response confirmed by Eduards (New Contributor)
Solution
No, you will see those applied mitigations much faster. The device sends various data throughout the day, but not everything all the time as one big chunk. There used to be a setting to put a device in a "POC mode" (only for testing purposes) to expedite sending events - not sure this set of data would be part of it though.
Hello, thank you for the answer.