Big Sur - ATP defender......killing me slowly

jameson
Contributor II

I have spent almost 3 days on getting windows defender working on Big sur
and it just keep on getting strange behavior.

I have followed the following microsoft site, that is updated recently and it is fairly easy to create the described config profiles and mobileconfig in jamf

But everytime it just popup with system extension needs to be approved. I found some other examples and right now I am in a spot I actually don´t know what I should try anymore. Has anyone get this working - then PLEASE share with me :)

Right now I just setting a 2018 macbook Pro (so intel) fresh install big sur - and it just keeps bothering this popups

6 REPLIES 6

walt
Contributor III

what do your profiles and policy look like?
are you installing the profiles before installing Defender?

jameson
Contributor II

Ups forgot to paste the link.
The following I follow - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies

And yes - the profiles are there before installation

walt
Contributor III

might be better to see how they're configured if you want to provide any sanitized versions. I followed the same process and do not see any prompts. are you using the latest/compatible version for systemextensions? Do you have screenshots of the prompts?

mgshepherd
Contributor

I do remember on my end having to make sure the content filtering profile I was uploading was signed, seemed to work fine after that. I am looking forward to my JAMF instance being updated to 10.26 this coming weekend which will allow me to create content filtering profiles rather than making them myself. Wonder if that would make things easier for you?

NPU-Casper
New Contributor III

@jameson Did you ever get it working? I am having similar issues in our environment. ATP is working on our Catalina devices but on my test Big Sur device no joy! I followed the same MS guide you did but still does not work. Anyone else figure it out? @mgshepherd What content filtering profile did you have to sign? I signed the "Network Extension Policy" MS instructed to sign, is that what you are talking about?

jaol
New Contributor

I also made profiles from that Microsoft site. And have this problem after machine upgrade to Big Sur. I found that removing Defender and install it again solves this. Btw. If I remove Microsoft Defender ATP.app from finder, it says that System Extensions exists, and will be removed. And it indeed was removed (verified with systemextensionsctl list). But if I remove Microsoft Defender ATP.app from terminal, System Extensions still exists. Even after reboot. Is there some easy (without disabling SIP) way to remove System Extensions from terminal?