Fix unhealthy sensors in Microsoft Defender for Endpoint

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Devices can be categorized as misconfigured or inactive are flagged for different reasons. This article provides information about why a device might be categorized as inactive or misconfigured.

Inactive devices

An inactive device isn't necessarily flagged because of an issue. The following actions taken on a device can cause a device to be categorized as inactive:

  • Device isn't in use
  • Device was reinstalled or renamed
  • Device was off-boarded
  • Device isn't sending signals

Device isn't in use

Any device that isn't in use for more than seven days retains 'Inactive' status in the portal.

Device was reinstalled or renamed

A new device entity is generated in Microsoft Defender XDR for reinstalled or renamed devices. The previous device entity remains, with an 'Inactive' status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.

Device was off-boarded

If the device was off-boarded, it still appears in devices list. After seven days, the device health state should change to inactive.

Device isn't sending signals

If the device isn't sending any signals to any Microsoft Defender for Endpoint channels for more than seven days for any reason, a device can be considered inactive; this includes conditions that fall under misconfigured devices classification.

Do you expect a device to be in 'Active' status? Open a support ticket.

Misconfigured devices

Misconfigured devices can further be classified to:

  • Impaired communications
  • No sensor data

Impaired communications

This status indicates that there's limited communication between the device and the service.

The following suggested actions can help fix issues related to a misconfigured device with impaired communications:

If you took corrective actions and the device status is still misconfigured, open a support ticket.

No sensor data

A misconfigured device with status 'No sensor data' has communication with the service but can only report partial sensor data.

Follow theses actions to correct known issues related to a misconfigured device with status 'No sensor data':

  • Ensure the device has Internet connection
    The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.

  • Verify client connectivity to Microsoft Defender for Endpoint service URLs
    Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.

  • Ensure the diagnostic data service is enabled
    If the devices aren't reporting correctly, you should verify that the Windows diagnostic data service is set to automatically start. Also verify that the Windows diagnostic data service is running on the endpoint.

  • Ensure that Microsoft Defender Antivirus isn't disabled by policy
    If your devices are running a third-party anti-malware client, Defender for Endpoint agent requires that the Microsoft Defender Antivirus Early Launch anti-malware (ELAM) driver is enabled.

  • For macOS devices that 'sleep' for more than approximately 48 hours (a weekend), Microsoft Defender for Endpoint on macOS still sends Command and Control (CnC) channel data, but doesn't send any Cyber channel data. After the devices are turned on and used on the first business day, the devices will show up as active.

If you took corrective actions and the device status is still misconfigured, open a support ticket.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.