SOLVED

Threat & Vulnerability Management Software inventory

%3CLINGO-SUB%20id%3D%22lingo-sub-749876%22%20slang%3D%22en-US%22%3EThreat%20%26amp%3B%20Vulnerability%20Management%20Software%20inventory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749876%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20how%20long%20it%20takes%20for%20inactive%20machines%20to%20be%20removed%20from%20the%20Threat%20%26amp%3B%20Vulnerability%20Management%20Software%20inventory%20section.%20In%20my%20organisation%20(an%20educational%20establishment)%2C%20we%20re-image%20out%20PC%20inventory%20every%20year%20during%20the%20summer%20and%20normally%20update%20about%204%2C000%20PC's%20to%20the%20next%20suitable%20build%20of%20Windows%2010%2C%20in%20this%20case%201803%26gt%3B1903.%20This%20is%20probably%20bad%20practice%2C%20but%20we%20don't%20off-board%20the%20PC's%20because%20we%20will%20just%20be%20on-boarding%20them%20again%20and%20its%20time%20consuming%20to%20off-board%20the%20devices.%20When%20the%20re-imaged%20machines%20come%20online%20again%2C%20they%20are%20automatically%20re-on-boarded%20and%20we%20tolerate%20the%20duplicate%20machines%20for%20the%207%20days%20it%20takes%20them%20to%20become%20inactive.%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20the%20issue.%20In%26nbsp%3BThreat%20%26amp%3B%20Vulnerability%20Management%20%26gt%3B%20Software%20inventory%2C%20the%20inactive%20devices%20are%20still%20bring%20counted%20in%20'Exposed%20machines'%20and%20there%20doesn't%20seem%20to%20be%20a%20way%20to%20filter%20them%20out.%20I've%20been%20patiently%20waiting%20for%20a%20few%20weeks%2C%20but%20the%20machines%20haven't%20dropped%20out%20yet.%20This%20means%20that%20I'm%20seeing%207%2C000%2B%20machines%2C%20about%20half%20of%20which%20are%20clean%2C%20but%20the%20stats%20%26amp%3B%20graphs%20don't%20reflect%20the%20status%20of%20the%20environment.%20I'm%20assuming%20that%20this%20is%20because%20it's%20still%20counting%20inactive%20machine%20records.%3C%2FP%3E%3CP%3EAnyone%20else%20seen%20or%20having%20this%20issue%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EAndy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754459%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20%26amp%3B%20Vulnerability%20Management%20Software%20inventory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754459%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5656%22%20target%3D%22_blank%22%3E%40Andrew%20Emmett%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20came%20across%20the%20same%20doubt%20last%20week.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20some%20(a%20lot)%20of%20research%20I%20was%20able%20to%20find%20the%20information%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInformation%20regard%20the%20Risk%20Level%20for%20the%20machine%3A%205-10%20minutes%20to%20update%20in%20the%20WDATP%20Console%3C%2FP%3E%3CP%3EInformation%20regard%20the%20Security%20Assessment%3A%202-4%20hours%20to%20update%20in%20the%20WDATP%20Console%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20information%20is%20collected%20by%20the%20ATP%20sensor%20in%20real%20time%20but%20the%20console%20takes%20a%20little%20to%20kick%20off%20the%20update%20values%20as%20described%20above.%20Sadly%20I%20was%20browsing%20in%20a%20private%20tab%20so%20I%20do%20not%20have%20the%20link%20for%20this%20information%20right%20now%20but%20I've%20been%20searching%20for%20it%20and%20soon%20I%20find%20it%20I%60ll%20update%20my%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20it%20helps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIL%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754543%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20%26amp%3B%20Vulnerability%20Management%20Software%20inventory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754543%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5656%22%20target%3D%22_blank%22%3E%40Andrew%20Emmett%3C%2FA%3E%26nbsp%3B-%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5656%22%20target%3D%22_blank%22%3E%40Andrew%20Emmett%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EHi%20there%3C%2FP%3E%0A%3CP%3EDoes%20anyone%20know%20how%20long%20it%20takes%20for%20inactive%20machines%20to%20be%20removed%20from%20the%20Threat%20%26amp%3B%20Vulnerability%20Management%20Software%20inventory%20section.%20In%20my%20organisation%20(an%20educational%20establishment)%2C%20we%20re-image%20out%20PC%20inventory%20every%20year%20during%20the%20summer%20and%20normally%20update%20about%204%2C000%20PC's%20to%20the%20next%20suitable%20build%20of%20Windows%2010%2C%20in%20this%20case%201803%26gt%3B1903.%20This%20is%20probably%20bad%20practice%2C%20but%20we%20don't%20off-board%20the%20PC's%20because%20we%20will%20just%20be%20on-boarding%20them%20again%20and%20its%20time%20consuming%20to%20off-board%20the%20devices.%20When%20the%20re-imaged%20machines%20come%20online%20again%2C%20they%20are%20automatically%20re-on-boarded%20and%20we%20tolerate%20the%20duplicate%20machines%20for%20the%207%20days%20it%20takes%20them%20to%20become%20inactive.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20the%20issue.%20In%26nbsp%3BThreat%20%26amp%3B%20Vulnerability%20Management%20%26gt%3B%20Software%20inventory%2C%20the%20inactive%20devices%20are%20still%20bring%20counted%20in%20'Exposed%20machines'%20and%20there%20doesn't%20seem%20to%20be%20a%20way%20to%20filter%20them%20out.%20I've%20been%20patiently%20waiting%20for%20a%20few%20weeks%2C%20but%20the%20machines%20haven't%20dropped%20out%20yet.%20This%20means%20that%20I'm%20seeing%207%2C000%2B%20machines%2C%20about%20half%20of%20which%20are%20clean%2C%20but%20the%20stats%20%26amp%3B%20graphs%20don't%20reflect%20the%20status%20of%20the%20environment.%20I'm%20assuming%20that%20this%20is%20because%20it's%20still%20counting%20inactive%20machine%20records.%3C%2FP%3E%0A%3CP%3EAnyone%20else%20seen%20or%20having%20this%20issue%3F%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3EAndy%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%3CBR%20%2F%3E%26nbsp%3Bmachines%20are%20removed%20from%20TVM%20after%2030d%20of%20inactivity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754629%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20%26amp%3B%20Vulnerability%20Management%20Software%20inventory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754629%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F373383%22%20target%3D%22_blank%22%3E%40yaakov_iyun%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much.%20Hopefully%20I'll%20start%20to%20see%20a%20reduction%20soon%20then.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754634%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20%26amp%3B%20Vulnerability%20Management%20Software%20inventory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754634%22%20slang%3D%22en-US%22%3EThanks%20Igor.%20Its%20good%20to%20know%20these%20times%2C%20but%20my%20issue%20is%20more%20about%20the%20time%20it%20takes%20for%20inactive%20machines%20to%20be%20removed%20from%20the%20overall%20statistics.In%20the%20post%20below%2C%20Yaakov%20has%20suggested%20that%20this%20is%2030%20days%2C%20so%20I'll%20keen%20an%20eye%20on%20things%20to%20see%20if%20this%20is%20the%20case.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754825%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20%26amp%3B%20Vulnerability%20Management%20Software%20inventory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754825%22%20slang%3D%22en-US%22%3E%3CP%3EHey%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5656%22%20target%3D%22_blank%22%3E%40Andrew%20Emmett%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see.%20My%20mistake.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20to%20clarify%20the%20amount%20of%20time%20it%20takes%20will%20depends%20how%20you%20data%20retention%20is%20configured.%20Can%20take%2030%20up%20to%20180%20days%20until%20inactive%20machine%20get%20removed%20from%20the%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIL%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-774388%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20%26amp%3B%20Vulnerability%20Management%20Software%20inventory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-774388%22%20slang%3D%22en-US%22%3EJust%20a%20quick%20update.%20It%20seems%20like%20it%20is%2030%20days%20for%20Machines%20to%20drop%20out%20of%20the%20Threat%20%26amp%3B%20Vulnerability%20Management%20statistics.%20Seeing%20significant%20drop%20in%20machines%20now%20as%20I%20am%20hitting%20a%2030%20day%20threshold.%20Thanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F373383%22%20target%3D%22_blank%22%3E%40yaakov_iyun%3C%2FA%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi there

Does anyone know how long it takes for inactive machines to be removed from the Threat & Vulnerability Management Software inventory section. In my organisation (an educational establishment), we re-image out PC inventory every year during the summer and normally update about 4,000 PC's to the next suitable build of Windows 10, in this case 1803>1903. This is probably bad practice, but we don't off-board the PC's because we will just be on-boarding them again and its time consuming to off-board the devices. When the re-imaged machines come online again, they are automatically re-on-boarded and we tolerate the duplicate machines for the 7 days it takes them to become inactive. 

Now the issue. In Threat & Vulnerability Management > Software inventory, the inactive devices are still bring counted in 'Exposed machines' and there doesn't seem to be a way to filter them out. I've been patiently waiting for a few weeks, but the machines haven't dropped out yet. This means that I'm seeing 7,000+ machines, about half of which are clean, but the stats & graphs don't reflect the status of the environment. I'm assuming that this is because it's still counting inactive machine records.

Anyone else seen or having this issue?

Thanks

Andy

6 Replies
Highlighted

Hi @Andrew Emmett.

 

I came across the same doubt last week.

 

After some (a lot) of research I was able to find the information below:

 

Information regard the Risk Level for the machine: 5-10 minutes to update in the WDATP Console

Information regard the Security Assessment: 2-4 hours to update in the WDATP Console

 

The information is collected by the ATP sensor in real time but the console takes a little to kick off the update values as described above. Sadly I was browsing in a private tab so I do not have the link for this information right now but I've been searching for it and soon I find it I`ll update my response.

 

Hope it helps.

 

IL

Highlighted
Best Response confirmed by Andrew Emmett (New Contributor)
Solution

@Andrew Emmett -


@Andrew Emmett wrote:

Hi there

Does anyone know how long it takes for inactive machines to be removed from the Threat & Vulnerability Management Software inventory section. In my organisation (an educational establishment), we re-image out PC inventory every year during the summer and normally update about 4,000 PC's to the next suitable build of Windows 10, in this case 1803>1903. This is probably bad practice, but we don't off-board the PC's because we will just be on-boarding them again and its time consuming to off-board the devices. When the re-imaged machines come online again, they are automatically re-on-boarded and we tolerate the duplicate machines for the 7 days it takes them to become inactive. 

Now the issue. In Threat & Vulnerability Management > Software inventory, the inactive devices are still bring counted in 'Exposed machines' and there doesn't seem to be a way to filter them out. I've been patiently waiting for a few weeks, but the machines haven't dropped out yet. This means that I'm seeing 7,000+ machines, about half of which are clean, but the stats & graphs don't reflect the status of the environment. I'm assuming that this is because it's still counting inactive machine records.

Anyone else seen or having this issue?

Thanks

Andy



 machines are removed from TVM after 30d of inactivity.

Highlighted

@yaakov_iyun 

Thank you very much. Hopefully I'll start to see a reduction soon then.

Highlighted
Thanks Igor. Its good to know these times, but my issue is more about the time it takes for inactive machines to be removed from the overall statistics.In the post below, Yaakov has suggested that this is 30 days, so I'll keen an eye on things to see if this is the case.
Highlighted

Hey, @Andrew Emmett.

 

I see. My mistake.

 

Just to clarify the amount of time it takes will depends how you data retention is configured. Can take 30 up to 180 days until inactive machine get removed from the portal.

 

Regards,

 

IL

Highlighted
Just a quick update. It seems like it is 30 days for Machines to drop out of the Threat & Vulnerability Management statistics. Seeing significant drop in machines now as I am hitting a 30 day threshold. Thanks @yaakov_iyun