Forum Discussion

Eric Iversen's avatar
Eric Iversen
Copper Contributor
Jan 28, 2022

MDE apparently blocks MacOS Monterey 12.1 / 12.2 upgrades?

The last days we have encountered a situation where the upgrade to MacOS Monterey 12.1 or 12.2 fails.

After several reboots the machine returns to the state before the upgrade started, with the addition of several applications crashing upon startup and needing reinstalls of these. This has happened to several machines, both Intel and ARM models when trying to upgrade from various MacOS versions such as 12.0.1 and 11.6.x.

Several repeated attempts give the same result:

It occurred that we might have a compatibility issue with Defender ATP (101.56.35) - and after removing this application completely and retrying the OS upgrade, this was completed without any issues.

Defender ATP was then reinstalled and now works without issues. The same goes for other applications that were "corrupted" during the first tries. Among them are OneDrive and Teams. After a "delete and reinstall" they all now work fine.

A less "Brutal" approach is also tried out (edit: which did not help) disabling various Defender modules, but this is rather time consuming since we do not know the result before the whole upgrade process is "complete".

Anyone else seeing a similar pattern?

  • tarek_aloch's avatar
    tarek_aloch
    Copper Contributor
    Yup, I'm seeing the same thing. We had no issue updating to 12.1. Trying to update 12.2 seems to have removed rosetta (For Apple silicon macs), and messed with Teams and Onedrive.

    It seems that the update goes through but when they go to check the system they're still on 12.1. Uninstalling Defender allows the update to run through fine. Hoping someone can find a solution to this
    • Eric Iversen's avatar
      Eric Iversen
      Copper Contributor
      Thanks, good to know we are not alone in this. 🙂
  • Eric Iversen,


    Hi Eric,
    Thanks for reaching out about the issue. We are investigating the upgrade issues to identify root causes and plan for fixes in coming product releases.

    Please contact Microsoft Defender for Endpoint support to open a service request by following the process documented here

    • Eric Iversen's avatar
      Eric Iversen
      Copper Contributor
      Hi, thanks for responding - we will open a service request.
  • pmonfette-ns's avatar
    pmonfette-ns
    Brass Contributor
    Yes, same here. From 12.1 to 12.2. upgrade completed but after last reboot, MacOS remained on 12.1.

    Looking at the logs, there were errors related to DLP and Defender which creates some issue with the upgraded disk Volume. Seems like the Upgrade process doesn't like this and thinks there is an issue and rolls back to the previous snapshot or something like that thus remaining on 12.1 instead of being upgraded to 12.2

    I was able to get it through after I added com.apple.MobileSoftwareUpdate.UpdateBrainService to the process exclusion list in Defender. Not sure if that's what did it or I was just lucky.

    I also now see that DLP (Data Loss Protection) seems supported in MDE for MacOS and my logs were full or errors related to it since it was not properly configured/enabled in intune and this was preventing some extensions in MacOS from being loaded properly, possibly making this more problematic since the filesystem didn't seem to recognize the DLP attributes in the filesystem properly because of this.

    I properly allowed and enable the DLP loading in MDE (mdatp health)

    data_loss_prevention_status : "active"

    And DLP errors are gone and it seems to properly works now. as I see logs being pushed to 365 Compliance. However, be careful, this seems to have a huge CPU and IO impact on everything.
    • Eric Iversen's avatar
      Eric Iversen
      Copper Contributor
      Thanks a bunch - so it might not be a bug but a feature then.

      Not the first time a feature that remains in a "not configured" state leads to unforeseen side effects. We will have a closer look at the DLP settings in Endpoint Manager/Intune.
      • pmonfette-ns's avatar
        pmonfette-ns
        Brass Contributor
        Right now I'm in the process of completely disabling DLP agent/daemon for MacOS since it makes the computers very slow and laggy. Especially in the browser (tested with Chrome and Edge). In the browser, the worst effect is when you type something in the search bar, when the DLP daemon runs (along MDE), you will notice that what you type is laggy and has a delay. If you disable DLP daemon and make sure the process doesn't run anymore "ps aux | grep dlpdaemon", you'll notice it's back to being very responsive and fast, as it should.

        Make sure you don't see this process running or else, disable it using Intune and policies until they get this behaviour under control as the computers become way too slow when it is enabled and things timeout or even crash (like the update)

        /Library/Application Support/Microsoft/DLP/com.microsoft.dlp.daemon.app/Contents/MacOS/dlpdaemon --daemon

        You can determine if DLP is enabled if you run "mdatp health"

        If you see that data_loss_prevention_status near the end, is not stopped or dormant, it means it is most likely enabled and affecting your performance.
    • tamasu's avatar
      tamasu
      Copper Contributor
      Where do you find information about this setting?
      data_loss_prevention_status : "active"
      I can't find any Microsoft Docs on how to enable/disable or what dormant even means.
  • GBM_Yisus's avatar
    GBM_Yisus
    Copper Contributor
    Tengo el mismo problema, aplace las actualizaciones de sistema y seguridad por 90 días en lo que se validaba el funcionamento de MacOS Monterey y ya que lo he probado y todo funciona bien, no puedo actualizar los dispositivos, ejecutan todo el proceso, se reiniciar pero regresa a la versión que tenia en un principio, desintale Defender en algunos equipos y se hace la actualizacion de forma correcta! Ojala pronto le den solución ya genere el caso pero no he recibido apoyo al dia de hoy!
    • pmonfette-ns's avatar
      pmonfette-ns
      Brass Contributor
      They rolled out another update: 101.56.62 but it only says "Bug Fixes". Maybe it fixes this issue. Can you test it ?
      • Eric Iversen's avatar
        Eric Iversen
        Copper Contributor
        Hey, thanks - yes, 101.56.62 does seem to make a big difference - some time before I saw your post here, a colleague just tried out this version after finding it on the preview channel - and tried re-creating the problem by downgrading machines to a previous OS version, then perform the upgrade to 12.2. With this version of MDE installed, the OS upgrade goes through without issues. Have you tried it yet?
  • pjgiraud's avatar
    pjgiraud
    Copper Contributor
    Yes, I can confirm the same problem. Experienced the corruption of multiple applications when I installed 12.2 which led to full reinstall, (didn't have time to troubleshoot then). Then when attempting to install same upgrade without enrolling everything went smooth.
    Later that day the computer was enrolled again. Yesterday I attempted to install 12.2.1 and the upgrade "failed" again. However this time no applications got corrupted.

Resources