How Microsoft Defender health status is determined

Where does Defender Health status come from?

Microsoft Defender reports the health status of its endpoint agent. Defender Manager collects this information and uses it to display the overall health status of a managed Defender device.

Defender Manager will mark a device as unhealthy if it displays any indicators.

Specific Health status indicators will be displayed on the Defender tab on the Device Details page, as seen below:

In the example above, the device is unhealthy because Status: Service is not running.

Disabling certain features, such as real-time scanning, does not indicate an unhealthy device, as it may be the organization's desired configuration.

Defender Health Indicators

SERVICE_UNAVAILABLE	Service is not running.
MPENGINE_UNAVAILABLE	Service started without any malware protection engine.
THREAT_FULLSCAN_REQUIRED	Pending full scan due to threat action
THREAT_REBOOT_REQUIRED	Pending reboot due to threat action
THREAT_MANUAL_STEPS_REQUIRED	Pending manual steps due to threat action
DUE_AV_SIGNATURE	Antivirus signatures are out of date
DUE_AS_SIGNATURE	Antispyware signatures are out of date
DUE_QUICK_SCAN	No quick scan has happened for a specified period.
DUE_FULL_SCAN	No full scan has happened for a specified period.
DUE_SAMPLES	There are samples pending submission.
NONGENUINE	Product is running in non-genuine Windows mode.
PRODUCT_EXPIRED	Product expired
SERVICE_ON_SYSTEM_SHUTDOWN	Service is shutting down as part of system shutdown.
SERVICE_CRITICAL_FAILURE	Threat remediation failed critically
SERVICE_NON_CRITICAL_FAILURE	Threat remediation failed non-critically
DUE_PLATFORM_UPDATE	The platform is out of date.
INPROGRESS_PLATFORM_UPDATE	Platform update is in progress.
PLATFORM_ABOUT_TO_BE_OUTDATED	The platform is about to be outdated.
END_OF_LIFE	The signature or platform end of life is past or is pending.