What does the Antivirus status mean? Disabled, Not supported, Not updated, Unknown

Not applicable

 What steps need to be taken to get the devices to show status as Updated

1 Reply
best response
Hi @Deleted,

Device health and compliance report in Microsoft Defender for Endpoint

Disabled, it means that the Microsoft Defender Antivirus is disabled. Such as by using this policy (or mdm policy) "Turn off Microsoft Defender Antivirus" Reference:

Or if you are running a 3rd party antivirus which might disable Microsoft Defender Antivirus.
Please review:

"Not updated", the "Security Intelligence Update" (Signature/Definitions) might be outdated. Depending on the management product that you are using, make sure that the systems are getting an updated "Security intelligence update" that is not older than 3-10 days (ideally < 1 day).

Reference: Manage the sources for Microsoft Defender Antivirus protection updates
Manage Microsoft Defender Antivirus updates and apply baselines

"Not supported" can be OS'es such as iOS which do not have an antimalware.

"Unknown" can be, if you have Windows Server 2012 R2 and/or Windows Server 2016, and you are not using the latest unified MDE for downlevel Windows Servers.
For details: Defending Windows Server 2012 R2 and 2016
If you are running MDE for macOS or MDE for Linux, make sure that you have the bits from at least March of 2022 (ideally 101.73.77 which enables the new antimalware engine). For more info, check out "What's new" here: and
For more info about the new antimalware engine:
Enhanced antimalware engine capabilities for Linux and macOS

Yong Rhee - MSFT