There are some additional configurations to be aware of that may prevent the service running correctly.
Telemetry and diagnostics settings: Before you configure endpoints, you must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization. By default, this service is enabled, but it's good practice to check to ensure you'll get sensor data from them.
Windows Defender signature updates are configured: The Windows Defender ATP agent depends on Windows Defender's ability to scan files and provide information about them. If Windows Defender is not the active anti malware in your organization, you may need to configure the signature updates.
- When Windows Defender is not the active anti malware in your organization and you use the Windows Defender ATP service, Windows Defender goes into passive mode.
- The Windows Defender Early Launch Antimalware (ELAM) driver is enabled.
- If you're running Windows Defender as the primary anti malware product on your endpoints, the Windows Defender ATP agent will be successfully onboarded.
- If you're running a third-party anti malware client and use MDM solutions or SCCM (Current Branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see this article for further information: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection#ensure-that-windows-defender-is-not-disabled-by-a-policy.
Refer to this article for further troubleshooting advice: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.