How Microsoft Defender health status is determined
Where does Defender Health status come from?
Microsoft Defender reports the health status of its endpoint agent. Defender Manager collects this information and uses it to display the overall health status of a managed Defender device.
Defender Manager will mark a device as unhealthy if it displays any indicators.
Specific Health status indicators will be displayed on the Defender tab on the Device Details page, as seen below:
In the example above, the device is unhealthy because Status: Service is not running.
Disabling certain features, such as real-time scanning, does not indicate an unhealthy device, as it may be the organization's desired configuration.
Defender Health Indicators
|
SERVICE_UNAVAILABLE |
Service is not running. |
|
MPENGINE_UNAVAILABLE |
Service started without any malware protection engine. |
|
THREAT_FULLSCAN_REQUIRED |
Pending full scan due to threat action |
|
THREAT_REBOOT_REQUIRED |
Pending reboot due to threat action |
|
THREAT_MANUAL_STEPS_REQUIRED |
Pending manual steps due to threat action |
|
DUE_AV_SIGNATURE |
Antivirus signatures are out of date |
|
DUE_AS_SIGNATURE |
Antispyware signatures are out of date |
|
DUE_QUICK_SCAN |
No quick scan has happened for a specified period. |
|
DUE_FULL_SCAN |
No full scan has happened for a specified period. |
|
DUE_SAMPLES |
There are samples pending submission. |
|
NONGENUINE |
Product is running in non-genuine Windows mode. |
|
PRODUCT_EXPIRED |
Product expired |
|
SERVICE_ON_SYSTEM_SHUTDOWN |
Service is shutting down as part of system shutdown. |
|
SERVICE_CRITICAL_FAILURE |
Threat remediation failed critically |
|
SERVICE_NON_CRITICAL_FAILURE |
Threat remediation failed non-critically |
|
DUE_PLATFORM_UPDATE |
The platform is out of date. |
|
INPROGRESS_PLATFORM_UPDATE |
Platform update is in progress. |
|
PLATFORM_ABOUT_TO_BE_OUTDATED |
The platform is about to be outdated. |
|
END_OF_LIFE |
The signature or platform end of life is past or is pending. |
