Forum Discussion
Device Heath Status
We have recently been onboarding Server 2019 into Defender. We are using the standard WindowsDefenderATPOnboardingScript.bat file that is available to perform the onboarding. When running the .bat file, reports back ran succesfullly. After a few hours the servers showed up on the MDE site. However, they are not showing green health check marks fo for the following options in MDE under overview > Device health status Security intelligence, Engine, and Platform are all greyed out. I have ran the MDE analyzer tool on multiple servers reporting like this and the report returns successful results. Powershell commands also confirm devices are updating. Why do I have some devices that have all "green" vs "greyed out" states"? Sensor status for each of these are healthy also. This also applies to persisent servers and our Citrix application servers. For Citrix application servers we do not onboard the golden image and we are using the standard PS onboarding implementation there.
1 Reply
- MDECA should provide summary of what's the actual cause.
- Check if the Defender base feature (part of OS image) is enabled. At times, onboarding will be success as it only adds the device to tenant, but base feature must be active and running for all telemetry data should be accurate. (Server Manager -> Local -> Features -> Windows Defender Features : Ensure it is enabled)
- Run the below KQL, it will provide agent health. You may run only till line 60 | summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId, OSPlatform
https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/General%20queries/Endpoint%20Agent%20Health%20Status%20Report.yaml
