Investigate agent health issues
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
The following table provides information about the values that are returned when you run the mdatp health command and their corresponding descriptions.
| Value | Description |
|---|---|
app_version |
Displays Microsoft Defender application version. |
automatic_definition_update_enabled |
True if automatic antivirus definition updates are enabled; otherwise, false. |
behavior_monitoring |
Feature to detect real time threats and prevention by monitoring the behavior of applications, services, and files. Can have one of the following values: - disabled - default - enabled |
cloud_automatic_sample_submission_consent |
Current sample submission level. Can have one of the following values: - None: No suspicious samples are submitted to Microsoft. - safe: Only suspicious samples that don't contain personal data are submitted automatically. This value is the default value for this setting. - All: All suspicious samples are submitted to Microsoft. |
cloud_diagnostic_enabled |
True if optional diagnostic data collection is enabled; otherwise, false. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see Microsoft Privacy Statement. |
cloud_enabled |
True if cloud-delivered protection is enabled; otherwise, false. |
conflicting_applications |
List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues. |
definitions_status |
Status of antivirus definitions. Can have one of the following values: - up_to_date - updating - unavailable |
definitions_updated |
Date and time of last antivirus definition update. |
definitions_updated_minutes_ago |
Number of minutes since last antivirus definition update. |
definitions_version |
Antivirus definition version. |
edr_client_version |
Version of the EDR client running on the device. |
edr_configuration_version |
EDR configuration version. |
edr_device_tags |
List of tags associated with the device. |
edr_early_preview_enabled |
Setting of edr early preview. Can have one of the following values: - disabled - enabled |
edr_group_ids |
Group ID that the device is associated with. |
edr_machine_id |
Device identifier used in the Microsoft Defender portal. |
engine_load_status |
Status of antivirus engine to determine whether it's running. Can have one of the following values: - Engine not loaded - antivirus engine process is down - Engine load succeeded - antivirus engine process is up and running |
engine_version |
Version of the antivirus engine. |
healthy |
True if the product is healthy; otherwise, false. |
health_issues |
Lists health issues if any. |
licensed |
True if the device is onboarded to a tenant; otherwise, false. |
log_level |
Current log level for the product. Can have one of the following values: - info - debug |
machine_guid |
Unique machine identifier used by the antivirus component. |
network_protection_enforcement_level |
Mode of network protection. Can have one of the following: - disabled - all components associated with network protection are disabled - block - network protection prevents connection to malicious websites - audit - Check how blocks occur |
network_protection_status |
Status of the network protection component (macOS only). Can have one of the following values: - starting - Network protection is starting - failed_to_start - Network protection couldn't be started due to an error - started - Network protection is running on the device - restarting - Network protection is restarting - stopping - Network protection is stopping - stopped - Network protection isn't running |
org_id |
Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, it shows as unavailable. For more information on onboarding, see Onboard to Microsoft Defender for Endpoint. |
passive_mode_enabled |
True if the antivirus component is set to run in passive mode; otherwise, false. |
product_expiration |
Date and time when the current product version reaches end of support. |
real_time_protection_available |
True if the real-time protection component is healthy; otherwise, false. |
real_time_protection_enabled |
True if real-time antivirus protection is enabled; otherwise, false. |
real_time_protection_subsystem |
Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, it shows as unavailable. |
release_ring |
Release ring. For more information, see Deployment rings. |
supplementary_events_subsystem |
Subsystem that provides supplementary event data. Can have one of the following values: - ebpf - Default from app version: 101.2408.0000- auditd |
Component specific health
You can get more detailed health information for different Defender's features with mdatp health --details <feature>. For example:
mdatp health --details edr
mdatp health --details definitions
mdatp health --details help
You can run mdatp health --help on recent versions to list all supported features.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.