Forum Discussion
MDE apparently blocks MacOS Monterey 12.1 / 12.2 upgrades?
The last days we have encountered a situation where the upgrade to MacOS Monterey 12.1 or 12.2 fails.
After several reboots the machine returns to the state before the upgrade started, with the addition of several applications crashing upon startup and needing reinstalls of these. This has happened to several machines, both Intel and ARM models when trying to upgrade from various MacOS versions such as 12.0.1 and 11.6.x.
Several repeated attempts give the same result:
It occurred that we might have a compatibility issue with Defender ATP (101.56.35) - and after removing this application completely and retrying the OS upgrade, this was completed without any issues.
Defender ATP was then reinstalled and now works without issues. The same goes for other applications that were "corrupted" during the first tries. Among them are OneDrive and Teams. After a "delete and reinstall" they all now work fine.
A less "Brutal" approach is also tried out (edit: which did not help) disabling various Defender modules, but this is rather time consuming since we do not know the result before the whole upgrade process is "complete".
Anyone else seeing a similar pattern?
20 Replies
- Hi all,
We are experiencing the same thing with multiple Macs.
The workaround we have been using is updating via a bootable MacOS Installer. https://support.apple.com/en-au/HT201372 - Yes, I can confirm the same problem. Experienced the corruption of multiple applications when I installed 12.2 which led to full reinstall, (didn't have time to troubleshoot then). Then when attempting to install same upgrade without enrolling everything went smooth.
Later that day the computer was enrolled again. Yesterday I attempted to install 12.2.1 and the upgrade "failed" again. However this time no applications got corrupted. - Tengo el mismo problema, aplace las actualizaciones de sistema y seguridad por 90 días en lo que se validaba el funcionamento de MacOS Monterey y ya que lo he probado y todo funciona bien, no puedo actualizar los dispositivos, ejecutan todo el proceso, se reiniciar pero regresa a la versión que tenia en un principio, desintale Defender en algunos equipos y se hace la actualizacion de forma correcta! Ojala pronto le den solución ya genere el caso pero no he recibido apoyo al dia de hoy!
- They rolled out another update: 101.56.62 but it only says "Bug Fixes". Maybe it fixes this issue. Can you test it ?
- Hey, thanks - yes, 101.56.62 does seem to make a big difference - some time before I saw your post here, a colleague just tried out this version after finding it on the preview channel - and tried re-creating the problem by downgrading machines to a previous OS version, then perform the upgrade to 12.2. With this version of MDE installed, the OS upgrade goes through without issues. Have you tried it yet?
- Yes, same here. From 12.1 to 12.2. upgrade completed but after last reboot, MacOS remained on 12.1.
Looking at the logs, there were errors related to DLP and Defender which creates some issue with the upgraded disk Volume. Seems like the Upgrade process doesn't like this and thinks there is an issue and rolls back to the previous snapshot or something like that thus remaining on 12.1 instead of being upgraded to 12.2
I was able to get it through after I added com.apple.MobileSoftwareUpdate.UpdateBrainService to the process exclusion list in Defender. Not sure if that's what did it or I was just lucky.
I also now see that DLP (Data Loss Protection) seems supported in MDE for MacOS and my logs were full or errors related to it since it was not properly configured/enabled in intune and this was preventing some extensions in MacOS from being loaded properly, possibly making this more problematic since the filesystem didn't seem to recognize the DLP attributes in the filesystem properly because of this.
I properly allowed and enable the DLP loading in MDE (mdatp health)
data_loss_prevention_status : "active"
And DLP errors are gone and it seems to properly works now. as I see logs being pushed to 365 Compliance. However, be careful, this seems to have a huge CPU and IO impact on everything.- Where do you find information about this setting?
data_loss_prevention_status : "active"
I can't find any Microsoft Docs on how to enable/disable or what dormant even means. - Thanks a bunch - so it might not be a bug but a feature then.
Not the first time a feature that remains in a "not configured" state leads to unforeseen side effects. We will have a closer look at the DLP settings in Endpoint Manager/Intune.- What bugs me the most right now is that even though I disabled DLP through intune and that the config makes it to the Mac and I see it as disabled in mdatp, the dlpdaemon still continues to run and affect performance. Rebooting doesn't fix it, it starts again on the next boot even though it should be disabled.
So far, the only solution I found is to delete Microsoft Defender and wait for Intune to automatically reinstall it. Once you uninstall it, the dlpdaemon goes away after a few seconds as the Defender services stops and unload.
It's as if once it runs at least one time, it will always run, whether you disable it or not in the config. But if it is not allowed to run when install Defender, it will never run and you're good as it doesn't get configured (or something like that) and it will never run unless you enable it later on.
This is most likely a bug of some sort and I hope they fix it because no way I'm going to go manually on each Mac in the company and remove and then reinstall Defender on each of them, hehehe.
Hi Eric,
Thanks for reaching out about the issue. We are investigating the upgrade issues to identify root causes and plan for fixes in coming product releases.Please contact Microsoft Defender for Endpoint support to open a service request by following the process documented here.
- Hi, thanks for responding - we will open a service request.
- Yup, I'm seeing the same thing. We had no issue updating to 12.1. Trying to update 12.2 seems to have removed rosetta (For Apple silicon macs), and messed with Teams and Onedrive.
It seems that the update goes through but when they go to check the system they're still on 12.1. Uninstalling Defender allows the update to run through fine. Hoping someone can find a solution to this- Thanks, good to know we are not alone in this. 🙂
