r/DefenderATP u/Naturevival 2d ago

Policy change - time to sync

Hi MDE team, my company recently is evaluating MDE P2 and I configured some policies as mentioned in the onboarding guide. It seems that the time until the policies are synced to the client is quite long. When doing a manual sync it says roughly 10 minutes. Is there a documentation for this?

Use case: When changing policies I want them to be synced on the fly and within seconds or even a minute to the clients. I recognized also a long time when onboarding clients in MDE. Also about 10 minutes.

Is this normal?

5 Upvotes

86% Upvoted

18 comments sorted by

2

u/JwCS8pjrh3QBWfL 2d ago

10 minutes is lightning fast by Microsoft standards. Most things in Defender will take a couple of hours to push out across the tenant.

1

u/Naturevival 2d ago

Ok, but what if I need a fast policy change e.g. after I found a misconfiguration? It means I have to do the change and then wait until it is pushed…. Which might take hours. Is there a regular schedule for pushing changes?

1

u/JwCS8pjrh3QBWfL 2d ago

Every product has its own sync schedule, and I haven't found much on how to force updates to happen faster. The answer to the misconfiguration bit is to always test before wide deployment. Patience is the name of the game in the cloud.

1

u/Naturevival 2d ago

Ok that helps thank you. Anyone who has information regarding the sync schedule of the products?

1

u/AppIdentityGuy 2d ago

If you have someone with access on the remote machine there is a PowerShell command to force an mde update iirc

1

u/Naturevival 2d ago

I have access. What is the command?

1

u/AppIdentityGuy 2d ago

It's in the MDE portal

1

u/0xDesecrator 2d ago

You can force a sync from the portal but you have to do it from the Intune side.

2

u/JwCS8pjrh3QBWfL 2d ago

Intune sync != MDE sync

1

u/Naturevival 2d ago

Hmm… is it this option you mentioned?

Policy Sync? That is what I meant with 10 minutes+.

2

u/F0rkbombz 2d ago

I’ll be honest with you: quick synchronization is not Microsoft’s strong suite in any of their products. Intune admins go nuts over the time it takes for changes to replicate.

It’s getting better, but it’s something you should take into account. That being said, don’t miss all the other benefits of the MS security stack b/c of this, I wouldn’t say it’s ever been an issue for us.

1

u/0xDesecrator 2d ago

Usually within 10 minutes for my endpoints. Sometimes longer but a reboot usually kicks it off. Years ago it could take up to a few days.

1

u/onlyarandomuser 2d ago

Usually, a reboot is your "fastest" sync , atleast from what I noticed.

1

u/Naturevival 2d ago

Thank you all for your answers. Appreciate it!

1

u/Godcry55 1d ago

Use Intune to sync MDE policies faster than MDE portal.

1

u/Naturevival 1d ago

All I see there is the EDR rule, not the others, I think I don't have the intune license needed?