|
| 1 | +--- |
| 2 | +title: Troubleshoot agent health issues with Defender for Endpoint on Mac |
| 3 | +description: Investigate macOS Defender agent health issues |
| 4 | +author: emmwalshh |
| 5 | +ms.author: ewalsh |
| 6 | +ms.reviewer: lianx; joshbregman |
| 7 | +manager: deniseb |
| 8 | +ms.localizationpriority: medium |
| 9 | +audience: ITPro |
| 10 | +ms.service: defender-endpoint |
| 11 | +ms.subservice: macos |
| 12 | +ms.topic: troubleshooting-general |
| 13 | +ms.date: 03/04/2025 |
| 14 | +ms.collection: |
| 15 | +- m365-security |
| 16 | +- tier3 |
| 17 | +- mde-macos |
| 18 | +search.appverid: met150 |
| 19 | +--- |
| 20 | + |
| 21 | +# Troubleshoot agent health issues |
| 22 | + |
| 23 | +## Defender for Endpoint health status |
| 24 | + |
| 25 | +The following table provides information about the values that are returned when you run the `mdatp health` command and their corresponding descriptions. |
| 26 | + |
| 27 | +| Value | Description | |
| 28 | +|---|---| |
| 29 | +|`app_version` | Displays Microsoft Defender application version.| |
| 30 | +|`automatic_definition_update_enabled`|`True` if automatic antivirus definition updates are enabled; otherwise, `false`.| |
| 31 | +|`cloud_automatic_sample_submission_consent`|Current sample submission level. <br/><br/>Can have one of the following values: <br/>- **None**: No suspicious samples are submitted to Microsoft.<br/>- **safe**: Only suspicious samples that don't contain personal data are submitted automatically. This value is the default value for this setting.<br/>- **All**: All suspicious samples are submitted to Microsoft.| |
| 32 | +|`cloud_diagnostic_enabled`|`True` if optional diagnostic data collection is enabled; otherwise, `false`. <br/><br/>For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| |
| 33 | +|`cloud_enabled`|`True` if cloud-delivered protection is enabled; otherwise, `false`.| |
| 34 | +|`cloud_pin_certificate_thumbs`| pinned cloud certificate's thumbprints. | |
| 35 | +|`conflicting_applications`|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.| |
| 36 | +|`data_loss_prevention_status`|Status of data loss prevention. Can have one of the following values: <br/>- **unknown**<br/>- **unsupported_os**<br/>- **unsupported_os_version**<br/>- **disabled**<br/>- **unhealthy**<br/>- **dormant**<br/>- **ready**<br/>- **active**| |
| 37 | +|`definitions_status`|Status of antivirus definitions. Can have one of the following values: <br/>- **up_to_date**<br/>- **updating**<br/>- **unavailable**| |
| 38 | +|`definitions_updated`|Date and time of last antivirus definition update.| |
| 39 | +|`definitions_updated_minutes_ago`|Number of minutes since last antivirus definition update.| |
| 40 | +|`definitions_version`|Antivirus definition version.| |
| 41 | +|`edr_client_version`|Version of the EDR client running on the device.| |
| 42 | +|`device_control_enforcement_level`| Device control activation statue. | |
| 43 | +|`edr_configuration_version`|EDR configuration version.| |
| 44 | +|`edr_device_tags`|List of tags associated with the device.| |
| 45 | +|`edr_early_preview_enabled`|Setting of EDR early preview. Can have one of the following values: <br/>- **disabled** <br/>- **enabled**| |
| 46 | +|`edr_group_ids`|Group ID that the device is associated with.| |
| 47 | +|`edr_machine_id`|Device identifier used in the Microsoft Defender portal.| |
| 48 | +|`engine_load_status`|Status of antivirus engine to determine whether it's running. <br/><br/>Can have one of the following values: <br/>- **Engine not loaded** - antivirus engine process is down<br/>- **Engine load succeeded** - antivirus engine process is up and running| |
| 49 | +|`engine_version`|Version of the antivirus engine.| |
| 50 | +|`healthy`|`True` if the product is healthy; otherwise, `false`.| |
| 51 | +|`health_issues`|Lists health issues if any.| |
| 52 | +|`licensed`|`True` if the device is onboarded to a tenant; otherwise, `false`.| |
| 53 | +|`log_level`|Current log level for the product. <br/><br/>Can have one of the following values: <br/>- **info** <br/>- **debug**| |
| 54 | +|`machine_guid`|Unique machine identifier used by the antivirus component.| |
| 55 | +|`network_protection_enforcement_level`|Mode of network protection. <br/><br/>Can have one of the following values: <br/>- **disabled** - all components associated with network protection are disabled<br/>- **block** - network protection prevents connection to malicious websites<br/>- **audit** - Check how blocks occur| |
| 56 | +|`network_protection_status`|Status of the network protection component (macOS only).<br/><br/> Can have one of the following values: <br/>- **starting** - Network protection is starting<br/>- **failed_to_start** - Network protection couldn't be started due to an error<br/>- **started** - Network protection is running on the device<br/>- **restarting** - Network protection is restarting<br/>- **stopping** - Network protection is stopping<br/>- **stopped** - Network protection isn't running| |
| 57 | +|`org_id`|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, it shows as `unavailable`. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).| |
| 58 | +|`passive_mode_enabled`|`True` if the antivirus component is set to run in passive mode; otherwise, `false`.| |
| 59 | +|`product_expiration`|Date and time when the current product version reaches end of support.| |
| 60 | +|`real_time_protection_available`|`True` if the real-time protection component is healthy; otherwise, `false`.| |
| 61 | +|`real_time_protection_enabled`|`True` if real-time antivirus protection is enabled; otherwise, `false`. | |
| 62 | +|`real_time_protection_subsystem`|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, it shows as `unavailable`.| |
| 63 | +|`release_ring`|Release ring. For more information, see [Deployment rings](onboarding.md).| |
| 64 | +|`tamper_protection`| Status of tamper protection feature. <br/><br/>Can have one of the following values: <br/>- **disabled** - tamper protection is off.<br/>- **audit** - tamper protection is on but doesn't block any event.<br/>- **block** - tamper protection is monitoring events and block them as needed. | |
| 65 | +|`troubleshooting_mode`| `True` if Defender for Endpoint is in troubleshooting mode; otherwise, `false`. see [Troubleshooting mode](mac-troubleshoot-mode.md).| |
| 66 | + |
| 67 | +## Component specific health |
| 68 | + |
| 69 | +You can get more detailed health information for different features in Defender for Endpoint by using the command, `mdatp health --details <feature>`. Here are some examples: |
| 70 | + |
| 71 | +```bash |
| 72 | + |
| 73 | +mdatp health --details permissions |
| 74 | + |
| 75 | +mdatp health --details system_extensions |
| 76 | + |
| 77 | +mdatp health --details edr |
| 78 | + |
| 79 | +mdatp health --details definitions |
| 80 | + |
| 81 | +mdatp health --details help |
| 82 | + |
| 83 | +``` |
| 84 | + |
| 85 | +You can run `mdatp health --help` on recent versions to list all supported features. |
| 86 | + |
| 87 | +## See also |
| 88 | + |
| 89 | +- [What's new in Microsoft Defender for Endpoint on Mac](mac-whatsnew.md) |
| 90 | +- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) |
| 91 | + |
| 92 | +[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)] |
| 93 | + |
| 94 | + |
0 commit comments