Thank you for the information and resources provided. I will review the Secure Client profiles and policies you mentioned.

Regarding the data discrepancy between XDR and Secure Endpoint, could you clarify if there are any known synchronization issues or delays that might cause the numbers to differ between these platforms? Additionally, if there are steps I should follow or best practices to ensure consistent data across these platforms, I would greatly appreciate your guidance.

For the Orbital installation failure, I will review the policy adjustments you suggested. However, are there specific logs or other troubleshooting steps I should follow to identify the root cause of the issue?

I can chime in little bit as well. When it comes to synchronization between XDR and other portals/sources currently this is not as fast as for example between your Endpoint and Secure Endpoint Console. I think the actual sync is once or maybe twice a day. The other thing to consider is data retention. For example if you have feed from Orbital to XDR and lets say you un-install endpoint you will notice that endpoint will be gone from Secure Endpoint console but you will still find that endpoint in XDR and Orbital because that's due to 90 days data retention. In other words it will take 90 days for the endpoint to be purged if there is no more communication during that period of 90 days.

Is it normal that I cannot see data from EDR in the XDR dashboard? Wouldn't this create a risk during threat hunting? If I'm not able to view current information, how does having XDR provide any real benefit?

1. Consistency between Endpoint/CMC/XDR... is less than ideal, but it is getting better. I've been in the beta of Device Insights since inception, and how devices between Secure Endpoint/CMC/Orbital get deduped was a mess for a long time... its better, but it still takes time, and you'll see machines with name changes in the gui based on who reported last. I've had a couple of weird instances where one two machines were crosslinked.



1. How are you deploying Secure Endpoint? We push deploy it separately from the CSC package, using SCCM, and send it to a policy that has Orbital off because when Secure Endpoint went to install Orbital it caused issues with the SCCM Task Sequence. Every night we move all machines in the "Build" policy to their normal policy via an automation I wrote. As far as logs go, I'm pretty sure its an MSI, that they're downloading to do the orbital install so the standard Windows logs.



1. The Orbital settings you pointed out: 1 is to turn it on... the other is when does it update. I have mine set to update automatically, e.g. independently from when Secure Endpoint updates happen.




________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Additionally, I am curious about the difference between the options on the left and the right.
What is the difference between Automatic and With Connector?

Will this solve my problem?

 

And lastly the difference between the two deployments is that:

Automatic: will update as soon as Orbital release new version.

With Connector: will update ONLY with connector upgrade. In other words even if Orbital releases new version it will be not updated unless you upgrade to new Secure Endpoint connector release through the policy.

Which one do you recommend then?

Thanks Roman!

So, in conclusion, is this issue a general problem right now? Is everyone experiencing it? Can’t we find a solution for the "Orbital install failed" error?