5.6 KiB
title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic, ms.date
| title | description | keywords | search.product | search.appverid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Fix unhealthy sensors in Microsoft Defender ATP | Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine. | misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication | eADQiWindows 10XVcnh | met150 | w10 | deploy | library | security | macapara | mjcaparas | medium | dansimp | ITPro | M365-security-compliance | article | 10/23/2017 |
Fix unhealthy sensors in Microsoft Defender ATP
Applies to:
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Microsoft Defender Security Center. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Microsoft Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.
Misconfigured machines
Misconfigured machines can further be classified to:
- Impaired communications
- No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired communications:
-
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. -
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status ‘No sensor data’:
-
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. -
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. -
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. -
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.