We're noticing that some of our Microsoft Defender for Endpoint Sensors are not working properly. How do we start to troubleshoot these issues?
Microsoft Defender for Endpoint
- The best place to start is with the Microsoft Defender for Endpoint Troubleshooting documentation. There are many helpful steps and instructions in these articles that may help you find a solution to your specific problem.
The basic steps are as follows:
- Start by checking "Sensor Health Status." Sensor Health helps to provide information on the individual device's ability to provide sensor data and communicate with the Defender for Endpoint service.
- The next step is to "Fix Unhealthy Sensors." There are 3 primary Sensor Health States:
- Active = Devices that are actively reporting to the Defender for Endpoint service
- Misconfigured = These devices might partially be reporting sensor data to the Defender for Endpoint service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues:
- No sensor data - Devices has stopped sending sensor data. Limited alerts can be triggered from the device.
- Impaired communications - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work.
- Inactive = Devices that have stopped reporting to the Defender for Endpoint service.
- Next, Review events and errors using Event Viewer. The Windows Event Viewer can provide a deeper insight into the problems a Sensor may be experiencing. Use the Event ID table that is provided in the article to help you analyze the Event logs.
- Finally, try running the Microsoft Defender for Endpoint Client Analyzer.
- The Microsoft Defender for Endpoint Client Analyzer (MDECA) can be useful when diagnosing sensor health or reliability issues on onboarded devices running either Windows, Linux, or macOS. For example, you may want to run the analyzer on a machine that appears to be unhealthy according to the displayed sensor health status (Inactive, No Sensor Data or Impaired Communications) in the security portal.
- Besides obvious sensor health issues, MDECA can collect other traces, logs, and diagnostic information for troubleshooting complex scenarios such as:
- Application compatibility (AppCompat), performance, network connectivity, or
- Unexpected behavior related to Endpoint Data Loss Prevention.