Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using Microsoft Intune family of products, which allows finer control over security features and updates.
You can use Microsoft Defender Antivirus with Update Compliance. You'll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal. To learn more about licensing options, see Windows 10 product licensing options.
When you use Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues.
Typically, the most common indicators of a problem are:
- You only see a small number or subset of all the devices you were expecting to see
- You do not see any devices at all
- The reports and information you do see is outdated (older than a few days)
For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see Microsoft Defender Antivirus events.
There are three steps to troubleshooting these problems:
- Confirm that you have met all prerequisites
- Check your connectivity to the Windows Defender cloud-based service
- Submit support logs
It typically takes 3 days for devices to start appearing in Update Compliance.
In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Microsoft Defender Antivirus:
- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Microsoft Defender Antivirus to disable itself and the endpoint will not be reported in Update Compliance.
- Cloud-delivered protection is enabled.
- Endpoints can connect to the Microsoft Defender Antivirus cloud
- If the endpoint is running Windows 10 version 1607 or earlier, Windows 10 diagnostic data must be set to the Enhanced level.
- It has been 3 days since all requirements have been met
"You can use Microsoft Defender Antivirus with Update Compliance. You'll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
If you're looking for Antivirus related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Performance tip Due to a variety of factors (examples listed below) Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's Performance analyzer is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues; some examples are:
- Top paths that impact scan time
- Top files that impact scan time
- Top processes that impact scan time
- Top file extensions that impact scan time
- Combinations – for example:
- top files per extension
- top paths per extension
- top processes per path
- top scans per file
- top scans per file per process
You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See: Performance analyzer for Microsoft Defender Antivirus.
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.