deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

s

Browse Source
This commit is contained in:
Tudor Dobrila 2019-10-31 22:50:57 -07:00
parent f238fa0785
commit 06a06a8625
4 changed files with 97 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/threat-protection/TOC.md
View File

@ -322,6 +322,7 @@
##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/microsoft-defender-atp-mac-pua.md)
#### [Troubleshoot Microsoft Defender ATP for Mac]()
##### [Troubleshoot performance issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md)
##### [Troubleshoot kernel extension issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md)
#### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
#### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)

61
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
View File

@ -80,66 +80,11 @@ To complete this process, you must have admin privileges on the machine.
The installation proceeds.
> [!NOTE]
> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled.
> [!CAUTION]
> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](microsoft-defender-atp-mac-support-kext.md) for information on how to resolve this.
> [!NOTE]
> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-Time Protection will not be available until the machine is rebooted.
### Fixing disabled Real-Time Protection
If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it:
![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png)
You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:
```bash
$ mdatp --health
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
...
```
> [!NOTE]
> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation.
The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation".
If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled:
![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png)
In this case, you need to perform the following steps to enable Real-Time Protection instead.
1. In Terminal, attempt to install the driver. (The operation will fail)
```bash
$ sudo kextutil /Library/Extensions/wdavkext.kext
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:
```
2. Open **System Preferences...** > **Security & Privacy** from the menu. (Close it first, if it's opened.)
3. **Allow** system software from developers "Microsoft Corporation"
4. In Terminal, install the driver again. This time the operation will succeed:
```bash
$ sudo kextutil /Library/Extensions/wdavkext.kext
```
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available:
```bash
$ mdatp --health
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
```
> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be available until the machine is rebooted.
## Client configuration

91
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac
ms.reviewer:
description: Describes how to troubleshoot kernel extension related issues in Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, kernel, extension
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot kernel extension issues
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac.
Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device.
If you did not approve Microsoft's kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it:
![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png)
You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device.
```bash
$ mdatp --health
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
...
```
The following sections provide guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender ATP for Mac.
## Managed deployment
See the instructions corresponding to the management tool that you used to deploy the product:
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile)
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md#create-system-configuration-profiles)
## Manual deployment
If less than 30 minutes have passed since the product was installed, navigate to **System Preferences** > **Security & Privacy**, where you have to **Allow** system software from developers "Microsoft Corporation".
If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device:
![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png)
In this case, you need to perform the following steps to trigger the approval flow again.
1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again.
```bash
$ sudo kextutil /Library/Extensions/wdavkext.kext
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:
```
2. Open **System Preferences** > **Security & Privacy** from the menu. (Close it first, if it's opened.)
3. **Allow** system software from developers "Microsoft Corporation"
4. In Terminal, install the driver again. This time the operation will succeed:
```bash
$ sudo kextutil /Library/Extensions/wdavkext.kext
```
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
```bash
$ mdatp --health
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
```

4
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft Defender ATP for Mac
ms.reviewer:
ms.reviewer:
description: Describes how to install and use Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---