Forum Discussion
Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)
Hi y'all,
We are using Defender for Endpoint on our Intel Macs without a hitch (both corp & BYOD devices). Now we are trying to have BYOD Apple Silicon Macs deployed with Defender for Endpoint.
This gives us a strange issue: The Defender for Endpoint icon in the menubar shows a warning: Action Needed.
Protection works fine and everything looks okay. Only the Defender for Endpoint icon keeps showing a warning (Action Needed).
When we click on the warning, just the normal Defender for Endpoint interface is shown, without any issues or actions.
We can't find anything online and it's driving us crazy.
To be clear: This works fine on our Intel Macs.
Please some help!
We are using Jamf Pro.
- Btw all: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide
Seems like the fix got released today, expect updates to roll out...
"Fixed a regression introduced in version 101.61.69 where the status menu icon was sometimes showing an error icon, even though no action was required from the end user"
- WimbertCopper Contributor
Same issue here for the last 3 weeks.
I see the defender icon with a X on it showing "Action needed" but everything seems to be running fine. - Rob HardmanIron ContributorYep, same here too, Apple Silicon only. I think it's probably a bug in a recent build, pretty sure this has only happened in the last few weeks.
- chuycCopper ContributorSame issue here for the last 2-3 weeks. Issue started before I upgraded to MacOS 12.3.1.
- asegovia1515Copper ContributorI think the problem is the encryption. If I turn off FileVault and restart the computer, Defender icon goes back to normal. I enable encryption again but when I restart the computer the Defender icon goes back to action needed. I have opened a ticket with MS.
- leintonCopper ContributorATP 101.64.15 came out today and has resolved the issue.
- pmonfette-nsBrass Contributor
Same here.
On Mac M1 since version 101.61.69 and maybe even 101.60.91, I see the defender icon with a X on it showing "Action needed" but everything seems to be running fine.
mdatp health in command line says healthy.
systemextensionsctl list shows activated and enabled.
Rebooting doesn't change anything, it starts up like this.
I'm using intune and this was not an issue a few versions ago. Unsure if it is caused by Monterey 12.3.1 update or a recent Defender update.
This is working well and without the X mark on Intel Macs.
- LeoJohnBrass ContributorSame here. The total lack of response from Microsoft on this post is also a little bit weird....
- Rob HardmanIron ContributorThis resolved today with no apparent update to the binary version of MDATP. The cross symbol changed to a bang, "Action Recommended." Upon opening MDATP the "Fix" button appeared which directed me to Sys Prefs > Security and Privacy > Privacy Tab > Full Disk Access. Both Microsoft Defender and Microsoft Defender Security Extension were unticked (they were ticked previously and should be enabled via MDM anyway). Upon manually ticking them, MDATP became healthy.
HTH- twealthyCopper ContributorThought id check this myself, but I still have the issue and both were ticked already! Very strange indeed.
I'm trialling this as we are looking to deploy MDATP across the business (primarily Windows based clients) but could it be in the "security.microsoft.com" portal. Looking at my device there are 9 Security Recommendations.
Just a thought! Hopefully it is just a GUI bug 🙂
Could that be it perhaps and there is infact no issue? - LeoJohnBrass ContributorThis is not applicable in our situation, no changes there.
- DrewHjelmCopper ContributorI opened a Support case with Microsoft to resolve this issue I experienced on MDATP for Mac OS 101.61.69. The issue is fixed in MDATP version 101.65.24, which is currently not on the Production update track.
- JZ281174Copper ContributorWe see this issue since 4 - 6 weeks on our M1 MacBooks with monterey.
I also checked the health and cloud connection status but everything looks fine. I think its only the icon in the menu bar - MarkTheITGuyCopper ContributorWe're getting the same here. Thought we were going mad.
Uninstalling and reinstalling works for a while (usually a couple of days or a shutdown/reboot is performed), but then the X and the 'Action Needed' message come back, yet the application appears to be running fine.
Also check sysprefs and all permissions are as they should be.
Hopefully the update will hit the production ring soon. - LeoJohnBrass ContributorThe new update of MacOS, version 12.3.1 seams to bring back the check mark. Strange.....
- JZ281174Copper Contributor
LeoJohn Not on our side. All affected MacBooks which were updated to 12.3.1 are affected like before. My MacBook was reseted to factory at friday and are installed clean with 12.3.1 and on my MacBook it looks fine.
But we cant reset all affected MacBooks, so we need to wait for MS- LeoJohnBrass ContributorYou are right, jumped too soon at our conclusion: Check mark disappeared after a little while. My bad.
- pmonfette-nsBrass ContributorNot in our organization. And we're running 12.3.1.
The only time the checkmark is there is when Defender gets installed initially for us. As soon as you reboot or get an update of it, it becomes an X.- pmonfette-nsBrass ContributorBtw all: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide
Seems like the fix got released today, expect updates to roll out...
"Fixed a regression introduced in version 101.61.69 where the status menu icon was sometimes showing an error icon, even though no action was required from the end user"
- pmonfette-nsBrass ContributorThis is also fixed and working for us. After the update to 101.64.15, the checkmark is present again, even after reboots. Thanks for the fix !
- LeoJohnBrass ContributorYes, for us also. Finally!!