Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MDE apparently blocks MacOS Monterey 12.1 / 12.2 upgrades?

Copper Contributor

The last days we have encountered a situation where the upgrade to MacOS Monterey 12.1 or 12.2 fails.

After several reboots the machine returns to the state before the upgrade started, with the addition of several applications crashing upon startup and needing reinstalls of these. This has happened to several machines, both Intel and ARM models when trying to upgrade from various MacOS versions such as 12.0.1 and 11.6.x.

Several repeated attempts give the same result:

It occurred that we might have a compatibility issue with Defender ATP (101.56.35) - and after removing this application completely and retrying the OS upgrade, this was completed without any issues.

Defender ATP was then reinstalled and now works without issues. The same goes for other applications that were "corrupted" during the first tries. Among them are OneDrive and Teams. After a "delete and reinstall" they all now work fine.

A less "Brutal" approach is also tried out (edit: which did not help) disabling various Defender modules, but this is rather time consuming since we do not know the result before the whole upgrade process is "complete".

Anyone else seeing a similar pattern?

20 Replies
Yup, I'm seeing the same thing. We had no issue updating to 12.1. Trying to update 12.2 seems to have removed rosetta (For Apple silicon macs), and messed with Teams and Onedrive.

It seems that the update goes through but when they go to check the system they're still on 12.1. Uninstalling Defender allows the update to run through fine. Hoping someone can find a solution to this

@Eric Iversen,


Hi Eric,
Thanks for reaching out about the issue. We are investigating the upgrade issues to identify root causes and plan for fixes in coming product releases.

Please contact Microsoft Defender for Endpoint support to open a service request by following the process documented here

Yes, same here. From 12.1 to 12.2. upgrade completed but after last reboot, MacOS remained on 12.1.

Looking at the logs, there were errors related to DLP and Defender which creates some issue with the upgraded disk Volume. Seems like the Upgrade process doesn't like this and thinks there is an issue and rolls back to the previous snapshot or something like that thus remaining on 12.1 instead of being upgraded to 12.2

I was able to get it through after I added com.apple.MobileSoftwareUpdate.UpdateBrainService to the process exclusion list in Defender. Not sure if that's what did it or I was just lucky.

I also now see that DLP (Data Loss Protection) seems supported in MDE for MacOS and my logs were full or errors related to it since it was not properly configured/enabled in intune and this was preventing some extensions in MacOS from being loaded properly, possibly making this more problematic since the filesystem didn't seem to recognize the DLP attributes in the filesystem properly because of this.

I properly allowed and enable the DLP loading in MDE (mdatp health)

data_loss_prevention_status : "active"

And DLP errors are gone and it seems to properly works now. as I see logs being pushed to 365 Compliance. However, be careful, this seems to have a huge CPU and IO impact on everything.
Thanks, good to know we are not alone in this. :)
Hi, thanks for responding - we will open a service request.
Thanks a bunch - so it might not be a bug but a feature then.

Not the first time a feature that remains in a "not configured" state leads to unforeseen side effects. We will have a closer look at the DLP settings in Endpoint Manager/Intune.
Right now I'm in the process of completely disabling DLP agent/daemon for MacOS since it makes the computers very slow and laggy. Especially in the browser (tested with Chrome and Edge). In the browser, the worst effect is when you type something in the search bar, when the DLP daemon runs (along MDE), you will notice that what you type is laggy and has a delay. If you disable DLP daemon and make sure the process doesn't run anymore "ps aux | grep dlpdaemon", you'll notice it's back to being very responsive and fast, as it should.

Make sure you don't see this process running or else, disable it using Intune and policies until they get this behaviour under control as the computers become way too slow when it is enabled and things timeout or even crash (like the update)

/Library/Application Support/Microsoft/DLP/com.microsoft.dlp.daemon.app/Contents/MacOS/dlpdaemon --daemon

You can determine if DLP is enabled if you run "mdatp health"

If you see that data_loss_prevention_status near the end, is not stopped or dormant, it means it is most likely enabled and affecting your performance.
What bugs me the most right now is that even though I disabled DLP through intune and that the config makes it to the Mac and I see it as disabled in mdatp, the dlpdaemon still continues to run and affect performance. Rebooting doesn't fix it, it starts again on the next boot even though it should be disabled.

So far, the only solution I found is to delete Microsoft Defender and wait for Intune to automatically reinstall it. Once you uninstall it, the dlpdaemon goes away after a few seconds as the Defender services stops and unload.

It's as if once it runs at least one time, it will always run, whether you disable it or not in the config. But if it is not allowed to run when install Defender, it will never run and you're good as it doesn't get configured (or something like that) and it will never run unless you enable it later on.

This is most likely a bug of some sort and I hope they fix it because no way I'm going to go manually on each Mac in the company and remove and then reinstall Defender on each of them, hehehe.
Tengo el mismo problema, aplace las actualizaciones de sistema y seguridad por 90 días en lo que se validaba el funcionamento de MacOS Monterey y ya que lo he probado y todo funciona bien, no puedo actualizar los dispositivos, ejecutan todo el proceso, se reiniciar pero regresa a la versión que tenia en un principio, desintale Defender en algunos equipos y se hace la actualizacion de forma correcta! Ojala pronto le den solución ya genere el caso pero no he recibido apoyo al dia de hoy!
They rolled out another update: 101.56.62 but it only says "Bug Fixes". Maybe it fixes this issue. Can you test it ?
Hey, thanks - yes, 101.56.62 does seem to make a big difference - some time before I saw your post here, a colleague just tried out this version after finding it on the preview channel - and tried re-creating the problem by downgrading machines to a previous OS version, then perform the upgrade to 12.2. With this version of MDE installed, the OS upgrade goes through without issues. Have you tried it yet?
I'll be testing a 12.2 to 12.2.1 upgrade myself tonight and a colleague will test the 12.1 to 12.2.1 or 12.2 upgrade also. I'll let you know our results once completed.
My upgrade to from 12.2 to 12.2.1 worked. I'll let you know about my colleague (from 12.1) probably on Monday.
Yes, I can confirm the same problem. Experienced the corruption of multiple applications when I installed 12.2 which led to full reinstall, (didn't have time to troubleshoot then). Then when attempting to install same upgrade without enrolling everything went smooth.
Later that day the computer was enrolled again. Yesterday I attempted to install 12.2.1 and the upgrade "failed" again. However this time no applications got corrupted.
Hi all,

We are experiencing the same thing with multiple Macs.

The workaround we have been using is updating via a bootable MacOS Installer. https://support.apple.com/en-au/HT201372
This apparently seems to be a "hit and miss" kind of issue. Sometimes, it works, sometimes it doesn't, at least with 101.56.62. My colleague upgraded from 12.1 to 12.2.1 and he was successful on first attempt. But I had multiple issues with 101.56.36. Either 101.56.62 improved the chance of success or maybe we were just lucky.

@pmonfette-ns 

 

We seem to have more Hits than Misses.

222 Monterey Total .

123 Monterey on 12.2

58 Monterey on 12.1

41 Monterey on 12.0

No reports of Upgrade issues from 12. to 12.2 so far.

They seem to have updated Defender to take into account a few issues in regards to the latest Monterey releases in the last few days:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-wor...

Especially in version: 101.59.50, maybe this version is more compatible now with Monterey upgrades ?
I'm running 101.60.91 (the latest from auto-update) and I've been able to upgrade from 12.2.1 to 12.3 without any issue.

I'll be curious to know if others have the same results.