What Is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint (MDE) is Microsoft's enterprise endpoint detection and response (EDR) platform. Unlike the built-in Windows Defender Antivirus, MDE provides advanced threat detection, investigation, automated response, and centralised management through the Microsoft Defender portal (security.microsoft.com).

MDE is included with Microsoft 365 Business Premium, E3, and E5 licences — making it the default EDR for most Melbourne businesses already on Microsoft 365. But having the licence doesn't mean it's running. The sensor (the SENSE service) must be correctly onboarded, and the service must be active on each device.

ℹ️
MDE vs Windows Defender Antivirus
These are two different things. Windows Defender Antivirus (the WinDefend service) provides real-time antivirus protection. Microsoft Defender for Endpoint (the SENSE service) is the EDR sensor that reports to the Defender portal. A device can have antivirus running but MDE not onboarded. This guide covers both.

Method 1 — Check the SENSE Service (sc query sense)

The quickest way to check if MDE is running is to query the SENSE service from an elevated command prompt. The SENSE service is the MDE sensor responsible for sending telemetry to the Defender portal.

Open Command Prompt as Administrator and run:

sc query sense

Look for the STATE line in the output:

Output Meaning
STATE : 4 RUNNING ✅ MDE sensor is active and running
STATE : 1 STOPPED ⚠️ Sensor is installed but not running
The specified service does not exist ❌ MDE is not installed or onboarded on this device
⚠️
SENSE running ≠ MDE fully onboarded
The SENSE service can be running while the device is still in an "onboarding" or "misconfigured" state in the Defender portal. Running the service is a necessary but not sufficient check — always verify in the portal as well.

Method 2 — PowerShell: Get-MpComputerStatus

PowerShell gives you much more detail about both the antivirus and the EDR components. Open PowerShell as Administrator and run: 

Get-MpComputerStatus

Key properties to check in the output:

Property What to Look For
AMServiceEnabled True — Windows Defender Antivirus service is running
AntispywareEnabled True — Antispyware protection active
AntivirusEnabled True — Real-time antivirus protection active
AMRunningMode See passive mode section below
OnboardingState 1 = Onboarded to MDE, 0 = Not onboarded
DefenderSignaturesOutOfDate False — signatures are current

To check just the MDE onboarding state quickly:

Get-MpComputerStatus | Select-Object OnboardingState, AMRunningMode, AntivirusEnabled

Method 3 — Check Defender Sensor Status via PowerShell

For a more detailed MDE-specific check, you can query the registry where the MDE onboarding state is stored: 

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" | Select-Object OnboardingState, SenseIsRunning, OrgId
Value Meaning
OnboardingState = 1 ✅ Device is onboarded to MDE
SenseIsRunning = 1 ✅ SENSE service is running
OrgId Your tenant's MDE Organisation ID — confirms which tenant the device reports to

Method 4 — Windows Security App (GUI)

For end users or non-technical staff, the Windows Security app provides a simple status check:

  1. Open Windows Security (search from Start menu)
  2. Click Virus & threat protection
  3. Check that Real-time protection is On
  4. Click Virus & threat protection settings
  5. Verify no warning banners appear at the top of the page

Note: The Windows Security app reflects the antivirus status, not MDE's EDR onboarding state. A device can show "Protected" here while still not being onboarded to the Defender portal.

Method 5 — Verify in the Microsoft Defender Portal

The authoritative way to confirm MDE is running and reporting correctly is to check the device in the Defender portal:

  1. Go to security.microsoft.com
  2. Navigate to Assets → Devices
  3. Search for the device by name
  4. Check the Sensor health state column
Sensor Health State Meaning
Active ✅ Device is reporting telemetry to the portal
Inactive ⚠️ Device hasn't reported in over 7 days
Misconfigured ❌ Sensor is running but has a configuration issue
No sensor data ❌ Device was onboarded but sensor has never reported

Understanding Passive Mode

When MDE is deployed alongside a third-party antivirus, Windows Defender Antivirus automatically switches to passive mode. In passive mode:

  • Real-time protection is disabled (the third-party AV handles this)
  • Scheduled scans still run but don't remediate
  • MDE EDR functions (detection, investigation, response) continue normally
  • Get-MpComputerStatus will show AMRunningMode = Passive Mode

Check the current running mode with:

(Get-MpComputerStatus).AMRunningMode
AMRunningMode Value Meaning
Normal Active mode — Defender AV is the primary antivirus
Passive Mode Third-party AV is primary, Defender AV running passively
EDR Block Mode MDE blocking threats even when Defender AV is in passive mode
SxS Passive Mode Side-by-side passive mode (limited periodic scanning)

About KB2461484 — Microsoft Endpoint Protection Updates

You may see references to KB2461484 in Windows Update history or error logs. This Knowledge Base article refers to update packages for Microsoft Endpoint Protection — the enterprise version of Windows Defender that was part of System Center Configuration Manager (SCCM/MECM) before it was rebranded as part of the Microsoft Defender suite.

KB2461484 updates typically contain definition (signature) updates for Microsoft Endpoint Protection. If you're seeing this in update logs, it generally indicates:

  • Your organisation is using SCCM/MECM to manage endpoint protection
  • Definition updates are being deployed via the software update point
  • This is expected and healthy behaviour in a managed environment

If KB2461484 updates are failing, common causes include:

  • WSUS synchronisation issues — definition updates require frequent sync (every few hours)
  • Software Update Point not configured for definition update products
  • Client policy not set to allow definition updates from WSUS
  • Connectivity issues between the endpoint and the WSUS/MECM server
💡
Using Intune instead of SCCM?
If you've migrated from SCCM to Microsoft Intune for endpoint management, definition updates are handled differently. Intune delivers Defender updates via Windows Update for Business and the Microsoft Update service — not via KB2461484 style WSUS packages. If you're still seeing KB2461484 update attempts after migrating to Intune, it may indicate a co-management configuration issue.

Common Issues and Fixes

Issue Likely Cause Fix
SENSE service won't start Corrupted onboarding package or policy conflict Re-run the onboarding script from the Defender portal
Device shows as Inactive in portal Device hasn't communicated in 7+ days Check connectivity to MDE endpoints, verify proxy settings
Device shows as Misconfigured Incomplete onboarding, missing required services Run MDE Client Analyser tool on the device
AntivirusEnabled = False Third-party AV disabling Defender, or tamper protection off Check for conflicting AV, verify tamper protection is enabled
Waiting for evaluation New device onboarding — can take up to 24h Wait up to 24 hours for first telemetry to appear in portal

Quick Reference: All Status Check Commands

# Check SENSE service status
sc query sense

# Full Defender status (PowerShell - Admin)
Get-MpComputerStatus

# Quick MDE onboarding + mode check
Get-MpComputerStatus | Select-Object OnboardingState, AMRunningMode, AntivirusEnabled, DefenderSignaturesOutOfDate

# Registry-based MDE status
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" | Select-Object OnboardingState, SenseIsRunning, OrgId

# Check passive mode
(Get-MpComputerStatus).AMRunningMode

# Check when signatures were last updated
(Get-MpComputerStatus).AntivirusSignatureLastUpdated

Need Help with Microsoft Defender for Endpoint?

Deploying and maintaining MDE across a fleet of Melbourne business devices requires more than running a few PowerShell commands. A well-configured MDE deployment includes onboarding via Intune, custom detection rules, attack surface reduction policies, and regular review of the Defender portal.

Melbits manages Microsoft Defender for Endpoint deployments for Melbourne businesses across professional services, healthcare, legal, and accounting. We're a Microsoft Partner with hands-on experience configuring MDE for organisations of 10–150 staff.