Troubleshoot kernel extension issues in Microsoft Defender for Endpoint on macOS

Applies to:

• Microsoft Defender for Endpoint on macOS
• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft 365 Defender

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

This article provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender for Endpoint on macOS.

Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they're allowed to run on the device.

Tip

Kernel extensions only apply up to macOS Catalina (10.15). Starting with macOS BigSur (11), Microsoft Defender for Endpoint on macOS uses System Extensions.

If you didn't approve the kernel extension during the deployment/installation of Microsoft Defender for Endpoint on macOS, the application displays a banner prompting you to enable it:

You can also run mdatp health. It reports if real-time protection is enabled but not available. This indicates that the kernel extension isn't approved to run on your device.

mdatp health

...
real_time_protection_enabled                : true
real_time_protection_available              : false
...

The following sections provide guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender for Endpoint on macOS.

Managed deployment

See the instructions corresponding to the management tool that you used to deploy the product:

• JAMF-based deployment
• Microsoft Intune-based deployment

Manual deployment

If less than 30 minutes have passed since the product was installed, navigate to System Preferences > Security & Privacy, where you have to Allow system software from developers "Microsoft Corporation".

If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device:

In this case, you need to perform the following steps to trigger the approval flow again.

1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension wasn't approved to run on the device. However, it will trigger the approval flow again.

   sudo kextutil /Library/Extensions/wdavkext.kext
   

   Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
   Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
   Diagnostics for /Library/Extensions/wdavkext.kext:
   

2. Open System Preferences > Security & Privacy from the menu. (Close it first, if it's opened.)

3. Allow system software from developers "Microsoft Corporation"

4. In Terminal, install the driver again. This time the operation will succeed:

   sudo kextutil /Library/Extensions/wdavkext.kext
   

   The banner should disappear from the Defender application, and mdatp health should now report that real-time protection is both enabled and available:

   mdatp health
   

   ...
   real_time_protection_enabled                : true
   real_time_protection_available              : true
   ...
   

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.