Defender for Endpoint / Antivirus components state unknown

The "unknown" status for antivirus components and other device information can occur for various reasons. The status might not necessarily switch to "old" because the term "unknown" indicates that the Defender for Endpoint portal hasn't received recent data updates from those devices.

Below is some troubleshooting steps to take while facing this issue:

• Ensure that the devices have an active internet connection and can communicate with Microsoft Defender for Endpoint services. Check for any network restrictions or firewall rules that might be blocking the communication.
• Make sure that the necessary URLs and endpoints for Defender for Endpoint are whitelisted if you have network filtering in place.
• Check if there are any pending updates or issues with the Defender for Endpoint client itself.
• Make sure that real-time protection and cloud-delivered protection are enabled on the devices.
• While the Azure AD LastSeen timestamp might not directly trigger the "unknown" status, it's important to ensure that devices are syncing properly with Azure AD.
• Check the Azure AD device sync logs for any errors or warnings related to device synchronization.
• On the devices showing the "unknown" status, investigate the event logs for any errors or warnings related to Defender for Endpoint or security components.
• On a specific device showing the "unknown" status, you can try forcing a data synchronization with the Defender for Endpoint portal.
• Open an elevated command prompt and run the following command:

"%ProgramFiles%\Windows Defender Advanced Threat Protection\MpCmdRun.exe"-restorepoint -listall
This command will trigger a data synchronization with the portal.