We could pick one client at random to check if the Windows Defender is installed successfully by the following picture. If so, but the report to SCCM is not compliant, it seems that the Windows Defender is installed from Microsoft. If not, maybe we could check the ADR from CM is deployed to the client.
The sources are from where the updates will be downloaded, all the client machine will look to config manager first for downloading the definition updates and if they don't get it from there then they will reach out to Microsoft update servers to download the updates after 12 hours....Is this correct?
If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. If not, it will be downloaded from other specified source. For limitation of time, Microsoft has not explained it.
If the response is helpful, please click "Accept Answer" and upvote it.