Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Managed Microsoft Defender
Environment: Windows OS
Summary: Why does the endpoint show as Unhealthy due to outdated definitions?
Overview
In some cases, an Endpoint may be marked as Unhealthy with a sub status of "Definitions Outdated." This is usually due to an endpoint that has not received a signature update within the last 7 days. However, in a small number of cases, even a manual signature update does not resolve this issue, and the endpoint is still marked as Unhealthy.
This article discusses what actions should be taken in order to understand and identify why the endpoint is still marked as Unhealthy due to an outdated signature.
Manually trigger a signature update
This can be done either at the Managed Defender table view as a bulk action, or it can be done for an individual endpoint:
Check Network Inspection Version
In some cases, despite doing a manual signature update, the endpoint still appears to indicate that definitions are out of date. In this case, the next item to check is to look at the Network Inspection version:
If the Network Inspection version is set to 119.0.0.0 and does not appear to be updating even with a Manual Update, then it's important to check the Windows OS build.
If the OS Build is 16299 or earlier, then in most cases, upgrading the Windows OS Build will allow the endpoint to obtain a new Network Inspection engine version and subsequently update the Network Inspection signature version.
For Windows 8.1 machines, currently there is no additional OS build upgrade available. Huntress has identified and acknowledge this for 8.1 machines and is working on a resolution.