Fix unhealthy sensors in Microsoft Defender for Endpoint

Article
07/18/2023

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Devices can be categorized as misconfigured or inactive are flagged for varying causes. This section provides some explanations as to what might have caused a device to be categorized as inactive or misconfigured.

Inactive devices

An inactive device isn't necessarily flagged because of an issue. The following actions taken on a device can cause a device to be categorized as inactive:

Device isn't in use
Device was reinstalled or renamed
Device was offboarded
Device isn't sending signals

Device isn't in use

Any device that isn't in use for more than seven days retains 'Inactive' status in the portal.

Device was reinstalled or renamed

A new device entity is generated in Microsoft 365 Defender for reinstalled or renamed devices. The previous device entity remains, with an 'Inactive' status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.

Device was offboarded

If the device was offboarded, it still appears in devices list. After seven days, the device health state should change to inactive.

Device isn't sending signals

If the device isn't sending any signals to any Microsoft Defender for Endpoint channels for more than seven days for any reason, a device can be considered inactive; this includes conditions that fall under misconfigured devices classification.

Do you expect a device to be in 'Active' status? Open a support ticket.

Misconfigured devices

Misconfigured devices can further be classified to:

Impaired communications
No sensor data

Impaired communications

This status indicates that there's limited communication between the device and the service.

The following suggested actions can help fix issues related to a misconfigured device with impaired communications:

Ensure the device has Internet connection
The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
Verify client connectivity to Microsoft Defender for Endpoint service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.

If you took corrective actions and the device status is still misconfigured, open a support ticket.

No sensor data

A misconfigured device with status 'No sensor data' has communication with the service but can only report partial sensor data.

Follow theses actions to correct known issues related to a misconfigured device with status 'No sensor data':

Ensure the device has Internet connection
The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
Verify client connectivity to Microsoft Defender for Endpoint service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.
Ensure the diagnostic data service is enabled
If the devices aren't reporting correctly, you should verify that the Windows diagnostic data service is set to automatically start. Also verify that the Windows diagnostic data service is running on the endpoint.
Ensure that Microsoft Defender Antivirus isn't disabled by policy
If your devices are running a third-party antimalware client, Defender for Endpoint agent requires that the Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled.