How Microsoft Defender health status is determined

Where does Defender Health status come from?

Microsoft Defender reports the health status of its endpoint agent. Defender Manager collects this information and uses it to display the overall health status of a managed Defender device.

Defender Manager will mark a device as unhealthy if it displays any indicators.

Specific Health status indicators will be displayed on the Defender tab on the Device Details page, as seen below:
select-customer-types-png.png

In the example above, the device is unhealthy because Status: Service is not running.

Disabling certain features, such as real-time scanning, does not indicate an unhealthy device, as it may be the organization's desired configuration.

Defender Health Indicators

SERVICE_UNAVAILABLE

Service is not running.

MPENGINE_UNAVAILABLE

Service started without any malware protection engine.

THREAT_FULLSCAN_REQUIRED

Pending full scan due to threat action

THREAT_REBOOT_REQUIRED

Pending reboot due to threat action

THREAT_MANUAL_STEPS_REQUIRED

Pending manual steps due to threat action

DUE_AV_SIGNATURE

Antivirus signatures are out of date

DUE_AS_SIGNATURE

Antispyware signatures are out of date

DUE_QUICK_SCAN

No quick scan has happened for a specified period.

DUE_FULL_SCAN

No full scan has happened for a specified period.

DUE_SAMPLES

There are samples pending submission.

NONGENUINE

Product is running in non-genuine Windows mode.

PRODUCT_EXPIRED

Product expired

SERVICE_ON_SYSTEM_SHUTDOWN

Service is shutting down as part of system shutdown.

SERVICE_CRITICAL_FAILURE

Threat remediation failed critically

SERVICE_NON_CRITICAL_FAILURE

Threat remediation failed non-critically

DUE_PLATFORM_UPDATE

The platform is out of date.

INPROGRESS_PLATFORM_UPDATE

Platform update is in progress.

PLATFORM_ABOUT_TO_BE_OUTDATED

The platform is about to be outdated.

END_OF_LIFE

The signature or platform end of life is past or is pending.