diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index bf8fe602cc..4227bc1111 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -322,6 +322,7 @@ ##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/microsoft-defender-atp-mac-pua.md) #### [Troubleshoot Microsoft Defender ATP for Mac]() ##### [Troubleshoot performance issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md) +##### [Troubleshoot kernel extension issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md) #### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md) #### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 08c55dea65..ebad31b8a5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -80,66 +80,11 @@ To complete this process, you must have admin privileges on the machine. The installation proceeds. -> [!NOTE] -> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled. +> [!CAUTION] +> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](microsoft-defender-atp-mac-support-kext.md) for information on how to resolve this. > [!NOTE] -> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-Time Protection will not be available until the machine is rebooted. - -### Fixing disabled Real-Time Protection - -If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it: - - ![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png) - -You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available: - -```bash -$ mdatp --health -... -realTimeProtectionAvailable : false -realTimeProtectionEnabled : true -... -``` - -> [!NOTE] -> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation. - -The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation". - -If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled: - -![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png) - -In this case, you need to perform the following steps to enable Real-Time Protection instead. - -1. In Terminal, attempt to install the driver. (The operation will fail) - ```bash - $ sudo kextutil /Library/Extensions/wdavkext.kext - Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } - Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } - Diagnostics for /Library/Extensions/wdavkext.kext: - ``` - -2. Open **System Preferences...** > **Security & Privacy** from the menu. (Close it first, if it's opened.) - -3. **Allow** system software from developers "Microsoft Corporation" - -4. In Terminal, install the driver again. This time the operation will succeed: - -```bash -$ sudo kextutil /Library/Extensions/wdavkext.kext -``` - -The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available: - -```bash -$ mdatp --health -... -realTimeProtectionAvailable : true -realTimeProtectionEnabled : true -... -``` +> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be available until the machine is rebooted. ## Client configuration diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md new file mode 100644 index 0000000000..e65de0fa89 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md @@ -0,0 +1,91 @@ +--- +title: Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac +ms.reviewer: +description: Describes how to troubleshoot kernel extension related issues in Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, kernel, extension +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot kernel extension issues + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac. + +Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device. + +If you did not approve Microsoft's kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it: + + ![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png) + +You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device. + +```bash +$ mdatp --health +... +realTimeProtectionAvailable : false +realTimeProtectionEnabled : true +... +``` + +The following sections provide guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender ATP for Mac. + +## Managed deployment + +See the instructions corresponding to the management tool that you used to deploy the product: + +- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile) +- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md#create-system-configuration-profiles) + +## Manual deployment + +If less than 30 minutes have passed since the product was installed, navigate to **System Preferences** > **Security & Privacy**, where you have to **Allow** system software from developers "Microsoft Corporation". + +If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device: + +![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png) + +In this case, you need to perform the following steps to trigger the approval flow again. + +1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again. + + ```bash + $ sudo kextutil /Library/Extensions/wdavkext.kext + Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } + Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } + Diagnostics for /Library/Extensions/wdavkext.kext: + ``` + +2. Open **System Preferences** > **Security & Privacy** from the menu. (Close it first, if it's opened.) + +3. **Allow** system software from developers "Microsoft Corporation" + +4. In Terminal, install the driver again. This time the operation will succeed: + +```bash +$ sudo kextutil /Library/Extensions/wdavkext.kext +``` + +The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available: + +```bash +$ mdatp --health +... +realTimeProtectionAvailable : true +realTimeProtectionEnabled : true +... +``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index f87f5332c7..95401373ae 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -1,6 +1,6 @@ --- title: Microsoft Defender ATP for Mac -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ---