Investigate agent health issues
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
The following table provides information on the values returned when you run the mdatp health command and their corresponding descriptions.
| Value | Description |
|---|---|
| automatic_definition_update_enabled | True if automatic antivirus definition updates are enabled, false otherwise. |
| cloud_automatic_sample_submission_consent | Current sample submission level. Can be one of the following values:
|
| cloud_diagnostic_enabled | True if optional diagnostic data collection is enabled, false otherwise. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see Microsoft Privacy Statement. |
| cloud_enabled | True if cloud-delivered protection is enabled, false otherwise. |
| conflicting_applications | List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues. |
| definitions_status | Status of antivirus definitions. |
| definitions_updated | Date and time of last antivirus definition update. |
| definitions_updated_minutes_ago | Number of minutes since last antivirus definition update. |
| definitions_version | Antivirus definition version. |
| edr_client_version | Version of the EDR client running on the device. |
| edr_configuration_version | EDR configuration version. |
| edr_device_tags | List of tags associated with the device. |
| edr_group_ids | Group ID that the device is associated with. |
| edr_machine_id | Device identifier used in Microsoft Defender XDR. |
| engine_version | Version of the antivirus engine. |
| healthy | True if the product is healthy, false otherwise. |
| licensed | True if the device is onboarded to a tenant, false otherwise. |
| log_level | Current log level for the product. |
| machine_guid | Unique machine identifier used by the antivirus component. |
| network_protection_status | Status of the network protection component (macOS only). Can be one of the following values:
|
| org_id | Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, this prints unavailable. For more information on onboarding, see Onboard to Microsoft Defender for Endpoint. |
| passive_mode_enabled | True if the antivirus component is set to run in passive mode, false otherwise. |
| product_expiration | Date and time when the current product version reaches end of support. |
| real_time_protection_available | True if the real-time protection component is healthy, false otherwise. |
| real_time_protection_enabled | True if real-time antivirus protection is enabled, false otherwise. |
| real_time_protection_subsystem | Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, this prints unavailable. |
| release_ring | Release ring. For more information, see Deployment rings. |
Component specific health
You can get more detailed health information for different Defender's features with mdatp health --details <feature>. For example:
mdatp health --details edr
edr_early_preview_enabled : "disabled"
edr_device_tags : []
edr_group_ids : ""
edr_configuration_version : "20.199999.main.2022.10.25.03-514032a834557bdd31ac415be6df278d9c2a4c25"
edr_machine_id : "a47ba049f43319ac669b6291ce73275cd445c9cd"
edr_sense_guid : "298a1a8c-04dd-4929-8efd-3bb14cb54b94"
edr_preferred_geo : "unitedstates"
You can run mdatp health --help on recent versions to list all supported features.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.