Forum Discussion
MDE apparently blocks MacOS Monterey 12.1 / 12.2 upgrades?
The last days we have encountered a situation where the upgrade to MacOS Monterey 12.1 or 12.2 fails. After several reboots the machine returns to the state before the upgrade started, with the ad...
Yes, same here. From 12.1 to 12.2. upgrade completed but after last reboot, MacOS remained on 12.1.
Looking at the logs, there were errors related to DLP and Defender which creates some issue with the upgraded disk Volume. Seems like the Upgrade process doesn't like this and thinks there is an issue and rolls back to the previous snapshot or something like that thus remaining on 12.1 instead of being upgraded to 12.2
I was able to get it through after I added com.apple.MobileSoftwareUpdate.UpdateBrainService to the process exclusion list in Defender. Not sure if that's what did it or I was just lucky.
I also now see that DLP (Data Loss Protection) seems supported in MDE for MacOS and my logs were full or errors related to it since it was not properly configured/enabled in intune and this was preventing some extensions in MacOS from being loaded properly, possibly making this more problematic since the filesystem didn't seem to recognize the DLP attributes in the filesystem properly because of this.
I properly allowed and enable the DLP loading in MDE (mdatp health)
data_loss_prevention_status : "active"
And DLP errors are gone and it seems to properly works now. as I see logs being pushed to 365 Compliance. However, be careful, this seems to have a huge CPU and IO impact on everything.
Looking at the logs, there were errors related to DLP and Defender which creates some issue with the upgraded disk Volume. Seems like the Upgrade process doesn't like this and thinks there is an issue and rolls back to the previous snapshot or something like that thus remaining on 12.1 instead of being upgraded to 12.2
I was able to get it through after I added com.apple.MobileSoftwareUpdate.UpdateBrainService to the process exclusion list in Defender. Not sure if that's what did it or I was just lucky.
I also now see that DLP (Data Loss Protection) seems supported in MDE for MacOS and my logs were full or errors related to it since it was not properly configured/enabled in intune and this was preventing some extensions in MacOS from being loaded properly, possibly making this more problematic since the filesystem didn't seem to recognize the DLP attributes in the filesystem properly because of this.
I properly allowed and enable the DLP loading in MDE (mdatp health)
data_loss_prevention_status : "active"
And DLP errors are gone and it seems to properly works now. as I see logs being pushed to 365 Compliance. However, be careful, this seems to have a huge CPU and IO impact on everything.
Thanks a bunch - so it might not be a bug but a feature then.
Not the first time a feature that remains in a "not configured" state leads to unforeseen side effects. We will have a closer look at the DLP settings in Endpoint Manager/Intune.
Not the first time a feature that remains in a "not configured" state leads to unforeseen side effects. We will have a closer look at the DLP settings in Endpoint Manager/Intune.
- What bugs me the most right now is that even though I disabled DLP through intune and that the config makes it to the Mac and I see it as disabled in mdatp, the dlpdaemon still continues to run and affect performance. Rebooting doesn't fix it, it starts again on the next boot even though it should be disabled.
So far, the only solution I found is to delete Microsoft Defender and wait for Intune to automatically reinstall it. Once you uninstall it, the dlpdaemon goes away after a few seconds as the Defender services stops and unload.
It's as if once it runs at least one time, it will always run, whether you disable it or not in the config. But if it is not allowed to run when install Defender, it will never run and you're good as it doesn't get configured (or something like that) and it will never run unless you enable it later on.
This is most likely a bug of some sort and I hope they fix it because no way I'm going to go manually on each Mac in the company and remove and then reinstall Defender on each of them, hehehe. - Right now I'm in the process of completely disabling DLP agent/daemon for MacOS since it makes the computers very slow and laggy. Especially in the browser (tested with Chrome and Edge). In the browser, the worst effect is when you type something in the search bar, when the DLP daemon runs (along MDE), you will notice that what you type is laggy and has a delay. If you disable DLP daemon and make sure the process doesn't run anymore "ps aux | grep dlpdaemon", you'll notice it's back to being very responsive and fast, as it should.
Make sure you don't see this process running or else, disable it using Intune and policies until they get this behaviour under control as the computers become way too slow when it is enabled and things timeout or even crash (like the update)
/Library/Application Support/Microsoft/DLP/com.microsoft.dlp.daemon.app/Contents/MacOS/dlpdaemon --daemon
You can determine if DLP is enabled if you run "mdatp health"
If you see that data_loss_prevention_status near the end, is not stopped or dormant, it means it is most likely enabled and affecting your performance.