In full disclosure, the use case I'm trying to get at was around the capability to issue mass live queries around all my devices in the case where some threat actor could have compromised a group of internal employees. If I issue a bunch of commands right now, what confidence do I have that they will be executed EVER and how do I report on that?

Thoughts?

Well live queries would depend on the system being up and running. If this is part of an investigation I would think something like a scheduled query pack with a high schedule frequency (10 min?) would ensure that you have total reporting in a reasonable timeframe (differential queries I think would come in handy)