How Microsoft Defender Health Status is Determined
Microsoft Defender reports health status about its endpoint agent. Defender Manager collects this information and uses it to display the overall health status of a managed Defender device.
This article describes the various items that are considered as part of a health status check. If Microsoft Defender reports any of these status indicators, Defender Manager will mark the device as unhealthy.
Specific Health status indicators will be displayed on the Defender Tab in the Device Details page as seen below:
In the example above the device is unhealthy because the Status indicates the Service is not running.
Note: Disabling of certain features such as real-time scanning does not indicate an unhealthy device as it may be a desired configuration of the customer.
Service not running.
Service started without any malware protection engine.
Pending full scan due to threat action.
Pending reboot due to threat action.
Pending manual steps due to threat action.
Antivirus signatures out of date.
Antispyware signatures out of date.
No quick scan has happened for a specified period.
no full scan has happened for a specified period
There are samples pending submission.
Product is running in non-genuine Windows mode.
Service is shutting down as part of system shutdown.
Threat remediation failed critically.
Threat remediation failed non-critically.
The platform is out of date.
Platform update is in progress.
The platform is about to be outdated
The signature or platform end of life is past or is pending.