Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

LeoJohn · ‎Mar 28 2022

Hi y'all,

We are using Defender for Endpoint on our Intel Macs without a hitch (both corp & BYOD devices). Now we are trying to have BYOD Apple Silicon Macs deployed with Defender for Endpoint.

This gives us a strange issue: The Defender for Endpoint icon in the menubar shows a warning: Action Needed.

Protection works fine and everything looks okay. Only the Defender for Endpoint icon keeps showing a warning (Action Needed).

When we click on the warning, just the normal Defender for Endpoint interface is shown, without any issues or actions.

We can't find anything online and it's driving us crazy.

To be clear: This works fine on our Intel Macs.

Please some help!

We are using Jamf Pro.

pmonfette-ns · ‎Apr 05 2022

@LeoJohn

Same here.

On Mac M1 since version 101.61.69 and maybe even 101.60.91, I see the defender icon with a X on it showing "Action needed" but everything seems to be running fine.

mdatp health in command line says healthy.

systemextensionsctl list shows activated and enabled.

Rebooting doesn't change anything, it starts up like this.

I'm using intune and this was not an issue a few versions ago. Unsure if it is caused by Monterey 12.3.1 update or a recent Defender update.

This is working well and without the X mark on Intel Macs.

LeoJohn · ‎Apr 06 2022

Same here. The total lack of response from Microsoft on this post is also a little bit weird....

Rob Hardman · ‎Apr 07 2022

Yep, same here too, Apple Silicon only. I think it's probably a bug in a recent build, pretty sure this has only happened in the last few weeks.

chuyc · ‎Apr 07 2022

Same issue here for the last 2-3 weeks. Issue started before I upgraded to MacOS 12.3.1.

Rob Hardman · ‎Apr 08 2022

This resolved today with no apparent update to the binary version of MDATP. The cross symbol changed to a bang, "Action Recommended." Upon opening MDATP the "Fix" button appeared which directed me to Sys Prefs > Security and Privacy > Privacy Tab > Full Disk Access. Both Microsoft Defender and Microsoft Defender Security Extension were unticked (they were ticked previously and should be enabled via MDM anyway). Upon manually ticking them, MDATP became healthy.

HTH

twealthy · ‎Apr 13 2022

Thought id check this myself, but I still have the issue and both were ticked already! Very strange indeed.

I'm trialling this as we are looking to deploy MDATP across the business (primarily Windows based clients) but could it be in the "security.microsoft.com" portal. Looking at my device there are 9 Security Recommendations.

Just a thought! Hopefully it is just a GUI bug :)

Could that be it perhaps and there is infact no issue?

Wimbert · ‎Apr 13 2022

@LeoJohn

Same issue here for the last 3 weeks.
I see the defender icon with a X on it showing "Action needed" but everything seems to be running fine.

LeoJohn · ‎Apr 18 2022

This is not applicable in our situation, no changes there.

DrewHjelm · ‎Apr 18 2022

I opened a Support case with Microsoft to resolve this issue I experienced on MDATP for Mac OS 101.61.69. The issue is fixed in MDATP version 101.65.24, which is currently not on the Production update track.

pmonfette-ns · ‎Apr 18 2022

@DrewHjelm Thanks a lot for this update !

JZ281174 · ‎Apr 19 2022

@DrewHjelm any plan from MS when this version will be available?

JZ281174 · ‎Apr 19 2022

We see this issue since 4 - 6 weeks on our M1 MacBooks with monterey.
I also checked the health and cloud connection status but everything looks fine. I think its only the icon in the menu bar

DrewHjelm · ‎Apr 19 2022

@JZ281174 - it's not on the production update ring yet, but it is on Dogfood ring if you want to run non-production software. I don't know when Microsoft will be releasing the update.

asegovia1515 · ‎Apr 22 2022

I think the problem is the encryption. If I turn off FileVault and restart the computer, Defender icon goes back to normal. I enable encryption again but when I restart the computer the Defender icon goes back to action needed. I have opened a ticket with MS.

MarkTheITGuy · ‎Apr 23 2022

We're getting the same here. Thought we were going mad.

Uninstalling and reinstalling works for a while (usually a couple of days or a shutdown/reboot is performed), but then the X and the 'Action Needed' message come back, yet the application appears to be running fine.

Also check sysprefs and all permissions are as they should be.

Hopefully the update will hit the production ring soon.

LeoJohn · ‎Apr 25 2022

The new update of MacOS, version 12.3.1 seams to bring back the check mark. Strange.....

JZ281174 · ‎Apr 25 2022

@LeoJohn Not on our side. All affected MacBooks which were updated to 12.3.1 are affected like before. My MacBook was reseted to factory at friday and are installed clean with 12.3.1 and on my MacBook it looks fine.
But we cant reset all affected MacBooks, so we need to wait for MS

pmonfette-ns · ‎Apr 26 2022

Not in our organization. And we're running 12.3.1.

The only time the checkmark is there is when Defender gets installed initially for us. As soon as you reboot or get an update of it, it becomes an X.

LeoJohn · ‎Apr 26 2022

Btw all: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-wor...

Seems like the fix got released today, expect updates to roll out...

"Fixed a regression introduced in version 101.61.69 where the status menu icon was sometimes showing an error icon, even though no action was required from the end user"

LeoJohn · ‎Apr 26 2022

Btw all: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-wor...

Seems like the fix got released today, expect updates to roll out...

"Fixed a regression introduced in version 101.61.69 where the status menu icon was sometimes showing an error icon, even though no action was required from the end user"

View solution in original post

Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Re: Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Defender for Endpoint issues on Apple Silicon Macs (Issue: Action Needed)