In ICDm console you might see the following Device Security status:

At Risk:

Out-of-date definitions.

Disabled / malfunctioning (Detection and Response).

Policy not current (Antimalware).

Low disk space (Detection and Response).

Any SEP client in cloud managed environment.

NA

Out-of-date definitions issue:

Content is considered old or out-of-date if:
Antimalware content (virus definitions) is out-of-date after 7 days.
Low-bandwidth and other content is out-of-date after 30 days.

The administrator has to make sure that the SEP client are up to date, and can download LU definitions.

Disabled / malfunctioning (Detection and Response):

Such error can be temporary, and however if it lasts for day in the console in a particular client, then collect SymDiag bundle from this client and open a ticket with technical services.

Policy not current (Antimalware):

The administrator has to make sure that the Antimalware policy is updated in ICDm console, and once this is correct, this warning should be eliminated.

Low disk space (Detection and Response):

In ICDm console go to the device details where this warning exists and check the disk space remaining in the disks of this machine.

If the disk space is low, correct the issue by cleaning up the disk and check after some time the ICDm warnings.

Troubleshooting failed LiveUpdate or definition update issues for Symantec Endpoint Security (broadcom.com)

Security status reasons (broadcom.com)