Sep 12 2024 02:37 PM
I’ve been reviewing some unusual behavior in our Defender for Endpoint health status across several macOS devices. Specifically, we've been seeing "No Sensor Data" instead of the expected "Inactive" state after periods of inactivity.
According to Microsoft's documentation, this could be related to macOS devices sleeping for over 48 hours - https://learn.microsoft.com/en-us/defender-endpoint/fix-unhealthy-sensors?view=o365-worldwide
However, this explanation doesn't fully align with what I’ve observed in my environment.
For example:
One macOS device (Device 1) showed "No Sensor Data" on both Thursday, September 05, and Friday, September 06, even though our MDM tool scanned it as online/live on both days. It eventually resolved itself after more than 5 days.
Another macOS device (Device 2) turned "Active" on Saturday, September 07, only to switch back to "No Sensor Data" on Sunday, September 08, and then back to "Active" again on Monday, September 09.
Timeline:
Thursday, September 05:
macOS Device 1: No Sensor Data
Friday, September 06:
macOS Device 1: No Sensor Data
macOS Device 2: No Sensor Data
macOS Device 3: No Sensor Data
Saturday, September 07:
macOS Device 2: Turned Active
Sunday, September 08:
macOS Device 2: Turned back to No Sensor Data
Monday, September 09:
macOS Device 2: Turned Active
macOS Device 4: Turned to No Sensor Data
Tuesday, September 10:
macOS Device 4: Turned Active
Wednesday, September 11:
macOS Device 1: Turned Active (more than 5 days later)
Has anyone else experienced this type of fluctuation between "No Sensor Data" and "Active" with macOS devices?