Defender Antivirus status "not updated"

%3CLINGO-SUB%20id%3D%22lingo-sub-2339917%22%20slang%3D%22en-US%22%3EDefender%20Antivirus%20status%20%22not%20updated%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2339917%22%20slang%3D%22en-US%22%3E%3CP%3EAntivirus%20intelligence%20updates%20are%20updated%20multiple%20times%20a%20day.%20Our%20W10%20endpoint%20update%20successfully%2C%20but%20still%20the%20Defender%20for%20Endpoint%20AV%20status%20shows%20%22not%20updated%22%20on%20a%20large%20amount%20of%20endpoints.%20When%20I%20manually%20check%20these%20endpoints%20some%20are%20behind%20maybe%20max.%20a%20day.%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20(after%20how%20many%20days%20or%20missed%20updates)%20does%20Defender%20AV%20show%20endpoints%20as%20%22not%20updated%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20592px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279409i57D057E815DFE6B9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%222%22%3E(Note%2C%20the%20number%20of%20days%20before%20definitions%20are%20considered%20out%20of%20date%20is%20set%20to%20default%20-%2014%20days)%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2351501%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20Antivirus%20status%20%22not%20updated%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2351501%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226483%22%20target%3D%22_blank%22%3E%40Niels%20van%20Dijk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20spoke%20with%20our%20devs%20regarding%20your%20questions%2Fissues.%26nbsp%3B%20They%20confirmed%20that%20it%20can%20take%20up%20to%2024%20hours%20for%20a%20newer%20signature%20to%20appear%20in%20the%20MDE%20portal.%26nbsp%3B%20The%20process%20looks%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EMsSense.exe%20collects%20version%20info%20via%20IWscProduct%3A%3Aget_SignatureStatus%20API%20method%3C%2FLI%3E%0A%3CLI%3ETVM%20will%20then%20collect%20this%20info%20anywhere%20from%2012-24%20hours%20and%20feed%20it%20to%20the%20DB%20servers%20(MDE%20Portal)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EOur%20devs%20are%20looking%20at%20reducing%20this%20time%2C%20but%20doing%20so%20may%20introduce%20performance%20related%20issues.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20need%20accurate%2Fup-to-date%20Def%2FSig%20information%20from%20your%20clients%2C%20you%20should%20not%20be%20using%20MDE%20for%20this.%26nbsp%3B%20You%20should%20use%20Intune%20or%20SCCM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Intune%2C%20please%20see%20this%20link%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAnnouncing%20new%20Endpoint%20Security%20Antivirus%20reports!%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ftechcommunity.microsoft.com%252Ft5%252Fintune-customer-success%252Fannouncing-new-endpoint-security-antivirus-reports%252Fba-p%252F1666326%26amp%3Bdata%3D04%257C01%257Ct-canderson%2540microsoft.com%257C5cbbec0348304a898db208d916074215%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637565042692894991%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DzC1l3urRrpjmM37MzGkWvL80W3JyPcq9RLMtU7eWgpU%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fannouncing-new-endpoint-security-antivirus-reports%2Fba-p%2F1666326%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20SCCM%2C%20please%20see%20this%20link%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20to%20Monitor%20Endpoint%20Protection%20in%20Configuration%20Manager%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fprevious-versions%252Fsystem-center%252Fsystem-center-2012-R2%252Fhh508769(v%253Dtechnet.10)%26amp%3Bdata%3D04%257C01%257Ct-canderson%2540microsoft.com%257C5cbbec0348304a898db208d916074215%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637565042692894991%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DeTo9yiJXuj79vCdUdkmAa%252FCUIBvmLweG8Q%252B4mF2nM4I%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fsystem-center%2Fsystem-center-2012-R2%2Fhh508769(v%3Dtechnet.10)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20%E2%80%9CAntivirus%20status%E2%80%9D%20column%2C%20Updated%20means%20the%20last%20time%20TVM%20pulled%20the%20data%20had%20the%20most%20current%20Def%2FSig%20that%20it%20was%20aware%20of.%26nbsp%3B%20Not%20Updated%20means%20the%20sig%2Fdef%20was%20old.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

Antivirus intelligence updates are updated multiple times a day. Our W10 endpoint update successfully, but still the Defender for Endpoint AV status shows "not updated" on a large amount of endpoints. When I manually check these endpoints some are behind maybe max. a day. 

When (after how many days or missed updates) does Defender AV show endpoints as "not updated"?

 

image.png

(Note, the number of days before definitions are considered out of date is set to default - 14 days)

1 Reply

@Niels van Dijk 

We spoke with our devs regarding your questions/issues.  They confirmed that it can take up to 24 hours for a newer signature to appear in the MDE portal.  The process looks like this:

 

  1. MsSense.exe collects version info via IWscProduct::get_SignatureStatus API method
  2. TVM will then collect this info anywhere from 12-24 hours and feed it to the DB servers (MDE Portal)

Our devs are looking at reducing this time, but doing so may introduce performance related issues.

 

If you need accurate/up-to-date Def/Sig information from your clients, you should not be using MDE for this.  You should use Intune or SCCM.

 

For Intune, please see this link:

Announcing new Endpoint Security Antivirus reports!

https://techcommunity.microsoft.com/t5/intune-customer-success/announcing-new-endpoint-security-anti...

 

For SCCM, please see this link:

How to Monitor Endpoint Protection in Configuration Manager

https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508769(v=te...

 

For the “Antivirus status” column, Updated means the last time TVM pulled the data had the most current Def/Sig that it was aware of.  Not Updated means the sig/def was old.