Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Managed Windows Defender
Environment: Windows 10 and 11, Server 2016 and higher
Summary: Why does the endpoint show as Unhealthy due to outdated definitions?
Overview
In some cases, an endpoint may be marked as Unhealthy with a sub status of "Definitions Outdated." This is usually due to an endpoint that has not received a signature update within the last 7 days. However, in a small number of cases, even a manual signature update does not resolve this issue, and the endpoint is still marked as Unhealthy.
This article discusses what actions should be taken in order to understand and identify why the endpoint is still marked as Unhealthy due to an outdated signature.
Manually trigger a signature update
This can be done either at the Managed Defender table view as a bulk action, or it can be done for an individual endpoint. In either case, Windows Update must not have any queued or pending updates. For the best chance of success: check for Windows Updates, reboot the machine, and then check for Defender updates.
Check Network Inspection Version
In some cases, despite doing a manual signature update, the endpoint still appears to indicate that definitions are out of date. In this case, the next item to check is to look at the Network Inspection version:
If the Network Inspection version is set to 119.0.0.0 and does not appear to be updating even with a Manual Update, then it's important to check the Windows OS build. If the OS Build is 16299 or earlier, then in most cases, upgrading the Windows OS Build will allow the endpoint to obtain a new Network Inspection engine version and subsequently update the Network Inspection signature version.