Forum Discussion

LeoJohn's avatar
LeoJohn
Brass Contributor
Mar 29, 2022

Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Hi y'all,

 

We are using Defender for Endpoint on our Intel Macs without a hitch (both corp & BYOD devices). Now we are trying to have BYOD Apple Silicon Macs deployed with Defender for Endpoint.


This gives us a strange issue: The Defender for Endpoint icon in the menubar shows a warning: Action Needed.

 

Protection works fine and everything looks okay. Only the Defender for Endpoint icon keeps showing a warning (Action Needed).


When we click on the warning, just the normal Defender for Endpoint interface is shown, without any issues or actions.

 

We can't find anything online and it's driving us crazy.

 

To be clear: This works fine on our Intel Macs.

 

Please some help!

 

We are using Jamf Pro.

  • Wimbert's avatar
    Wimbert
    Copper Contributor

    LeoJohn 

     

    Same issue here for the last 3 weeks.
    I see the defender icon with a X on it showing "Action needed" but everything seems to be running fine.

  • Rob Hardman's avatar
    Rob Hardman
    Iron Contributor
    Yep, same here too, Apple Silicon only. I think it's probably a bug in a recent build, pretty sure this has only happened in the last few weeks.
    • chuyc's avatar
      chuyc
      Copper Contributor
      Same issue here for the last 2-3 weeks. Issue started before I upgraded to MacOS 12.3.1.
  • asegovia1515's avatar
    asegovia1515
    Copper Contributor
    I think the problem is the encryption. If I turn off FileVault and restart the computer, Defender icon goes back to normal. I enable encryption again but when I restart the computer the Defender icon goes back to action needed. I have opened a ticket with MS.
  • leinton's avatar
    leinton
    Copper Contributor
    ATP 101.64.15 came out today and has resolved the issue.
  • pmonfette-ns's avatar
    pmonfette-ns
    Brass Contributor

    LeoJohn 

     

    Same here.

     

    On Mac M1 since version 101.61.69 and maybe even 101.60.91, I see the defender icon with a X on it showing "Action needed" but everything seems to be running fine.

     

    mdatp health in command line says healthy.

    systemextensionsctl list shows activated and enabled.

     

    Rebooting doesn't change anything, it starts up like this.

     

    I'm using intune and this was not an issue a few versions ago. Unsure if it is caused by Monterey 12.3.1 update or a recent Defender update.

     

    This is working well and without the X mark on Intel Macs.

    • LeoJohn's avatar
      LeoJohn
      Brass Contributor
      Same here. The total lack of response from Microsoft on this post is also a little bit weird....
  • Rob Hardman's avatar
    Rob Hardman
    Iron Contributor
    This resolved today with no apparent update to the binary version of MDATP. The cross symbol changed to a bang, "Action Recommended." Upon opening MDATP the "Fix" button appeared which directed me to Sys Prefs > Security and Privacy > Privacy Tab > Full Disk Access. Both Microsoft Defender and Microsoft Defender Security Extension were unticked (they were ticked previously and should be enabled via MDM anyway). Upon manually ticking them, MDATP became healthy.

    HTH
    • twealthy's avatar
      twealthy
      Copper Contributor
      Thought id check this myself, but I still have the issue and both were ticked already! Very strange indeed.

      I'm trialling this as we are looking to deploy MDATP across the business (primarily Windows based clients) but could it be in the "security.microsoft.com" portal. Looking at my device there are 9 Security Recommendations.

      Just a thought! Hopefully it is just a GUI bug 🙂

      Could that be it perhaps and there is infact no issue?
    • LeoJohn's avatar
      LeoJohn
      Brass Contributor
      This is not applicable in our situation, no changes there.
      • DrewHjelm's avatar
        DrewHjelm
        Copper Contributor
        I opened a Support case with Microsoft to resolve this issue I experienced on MDATP for Mac OS 101.61.69. The issue is fixed in MDATP version 101.65.24, which is currently not on the Production update track.
  • JZ281174's avatar
    JZ281174
    Copper Contributor
    We see this issue since 4 - 6 weeks on our M1 MacBooks with monterey.
    I also checked the health and cloud connection status but everything looks fine. I think its only the icon in the menu bar
  • MarkTheITGuy's avatar
    MarkTheITGuy
    Copper Contributor
    We're getting the same here. Thought we were going mad.

    Uninstalling and reinstalling works for a while (usually a couple of days or a shutdown/reboot is performed), but then the X and the 'Action Needed' message come back, yet the application appears to be running fine.

    Also check sysprefs and all permissions are as they should be.

    Hopefully the update will hit the production ring soon.
  • LeoJohn's avatar
    LeoJohn
    Brass Contributor
    The new update of MacOS, version 12.3.1 seams to bring back the check mark. Strange.....
    • JZ281174's avatar
      JZ281174
      Copper Contributor

      LeoJohn Not on our side. All affected MacBooks which were updated to 12.3.1 are affected like before. My MacBook was reseted to factory at friday and are installed clean with 12.3.1 and on my MacBook it looks fine. 
      But we cant reset all affected MacBooks, so we need to wait for MS

      • LeoJohn's avatar
        LeoJohn
        Brass Contributor
        You are right, jumped too soon at our conclusion: Check mark disappeared after a little while. My bad.
    • pmonfette-ns's avatar
      pmonfette-ns
      Brass Contributor
      Not in our organization. And we're running 12.3.1.

      The only time the checkmark is there is when Defender gets installed initially for us. As soon as you reboot or get an update of it, it becomes an X.
  • pmonfette-ns's avatar
    pmonfette-ns
    Brass Contributor
    This is also fixed and working for us. After the update to 101.64.15, the checkmark is present again, even after reboots. Thanks for the fix !

Resources