Microsoft Defender Configuration not sticking

I haven’t seen this. Anything in the Microsoft Defender logs on the security portal? Does this happen for all your devices?

if there is any Policies created from the  MDE Portal , if yes that will overwrite the Configuration comes from JAMF,

 I haven’t seen this either. We don’t have any policies created in the MDE portal. All of the config profiles are coming from Jamf to the Macs along with the package to install Defender.

I have seen a weird timing issue, where the profile is on the system, but Defender hasn’t picked this up, this can be resolved by re-installing the defender app...

I had this happen with Zoom. I have a script that removes managed plist so that it will update to the profile version. This should happen automatically, but this kickstarted the process for me. I subbed out the Zoom pref file for Defender’s.

Remove:

• “/Library/Managed Preferences/com.microsoft.wdav.plist”

• “/Library/Managed Preferences//$USERNAMES/com.microsoft.wdav.plist”

find "/Library/Managed Preferences" -name 'com.microsoft.wdav.plist' -exec rm -rf {} \;

Script finds wdav plist from Managed Preferences and passes the array of file to be removed with cmd ‘rm -rf’

Difference may be for us is that we use the IT package of Zoom that has a config PLIST that it installs. 

Thanks for all the quick responses.  I’ve continued testing.  It’s occurring on all Mac’s.  I’ve been assured there are no MDE Profiles being deployed as well as assurances from Microsoft that if the “managed_by” field is set to “MDM” then Jamf takes precedence.

I can only delete plist files under 

• “/Library/Managed Preferences//$USERNAMES/com.microsoft.wdav.plist”

Which has made no difference.

When I do a ‘mdatp health --details device_control’ on the affected machines

v2_configured = true

v2_state = null

v2_sensor_connection = unavailable

v2_full_disk_access = not approved

Even though I’ve confirmed PPPC etc. are applying.

Weird. Anything off with your scope? Any exclusions happening or limitations?

Everything I can see in exclusions, limitations looks as it should.

Further testing.  If I exclude the Mac from the Configuration Profile and then reapply it the Configuration Profile applies on first restart.  All subsequent restarts although the Configuration Profile appears in Device Management I don’t believe the settings are applying.  Is it possible that somewhere between Jamf and the Mac the Configuration Profile is corrupted or somehow an older version is being applied?

Was poking around our Microsoft Defender portal. New to Defender. It does sound like it’s happening on the Jamf side.

What version of macOS and Defender are you pushing? Are all the system extension, PPPC, full disk access, profiles pushed?

Worse case, can you re-build from scratch?

macOS - 15.5

Defender - 101.25052.0012

From what I can see yes everything that’s required is being pushed.

I’ve tried creating a fresh Jamf Configuration Profile with the same result. First restart looks good, subsequent restarts same result under device_control

Very odd. Same versions here.

Not sure if this would be Jamf question, or Microsoft ticket? Sounds like Jamf, but who knows. Did you talk to either yet?

I’ve logged a ticket with both.  Still waiting to hear back from Microsoft with anything useful anyway (they’ve been pretty slow to respond recently).  Jamf helped but final summation it’s an MS issue not something they can help with.

I’ve continued to do my own testing and although not certain why, if the Endpoint Security Extension (epsext) is enabled then both Endpoint DLP and Device Control (the 2 main features I need to work) are both in an unhealthy state.  If I disable it then both Endpoint DLP and Device Control work as they should.