As some of you may know MS messed up the the last version of Defender and it does not let the install go forward because tamper protection is set to block. Usually it sets it to enable the install and then back on. Does anyone have an easy way to do this in Jamf. I am not great with scripting and the only way I see to do it is via a few policies.
Question
MS Defender Update
You can temporarily set anti tamper mode to audit. I made a smart group where the Patch Management Title for Defener was not the latest and assigned this profile to it. Once machines update, the profile is no longer scoped and anti tamper goes back to the default block setting.
I ended up just making a policy with a script to turn it to audit, then download and install the package from MS and then turn back to block. Tested it and it worked on 4 Mac’s. Need to present to my InfoSec dept to approve this method.
+25Maybe someone should suggest the MS that the Defender anti-tamper mechanism should accommodate updating the agent without needing to disable itself completely?
It usually does but they messed up with the version before the one they just released this morning.
+13I knew coming here would find what i needed. I also noticed that MS defender was failing auto updates on my clients and need to implement a fix also
Here is the script I had Ai write since I am terrible at it.
#!/bin/bash
# Ensure script is run with sudo
if [[ $EUID -ne 0 ]]; then
echo "Please run this script with sudo."
exit 1
fi
echo "Setting Tamper Protection to AUDIT mode..."
mdatp config tamper-protection enforcement-level --value audit
echo "Downloading and installing Microsoft Defender package..."
PKG_URL="https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/wdav.pkg"
PKG_PATH="/tmp/wdav.pkg"
curl -o "$PKG_PATH" "$PKG_URL"
if [[ $? -ne 0 ]]; then
echo "Failed to download package."
exit 2
fi
installer -pkg "$PKG_PATH" -target /
echo "Setting Tamper Protection to BLOCK mode..."
mdatp config tamper-protection enforcement-level --value block
echo "All steps completed successfully."
+13
What kind of prompt did you use for it to create that script and AI agent? ChatGPT?. kudos
I told Copilot to write a macOS shell script to change MS Defender to Audit Mode, download and install from this address and then to put tamper protection back to block
+13Maybe someone should suggest the MS that the Defender anti-tamper mechanism should accommodate updating the agent without needing to disable itself completely?
Yeah usually it works perfectly , even with JAMF PRO app installers assinged to do this, but this patch borked it. Seems that they added 3 new features in this patch - Well , 4 if you count this issue where it wont update :P
Sep-2025 (Build: 101.25072.0011 | Release version: 20.125072.11.0)
| Build: | 101.25072.0011 |
|---|---|
| Release version: | 20.125072.11.0 |
| Engine version: | 1.1.25060.3000 |
| Signature version: | 1.429.309.0 |
What's new
-
Enhanced malware detection timing and archive scanning improvements
-
Improved diagnostic capabilities and error reporting
-
Performance and diagnostic improvements for endpoint Data Loss Prevention (DLP)
-
Bug fixes
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.