MDATP Attempting to Downgrade?

Rmac
New Contributor

Hi Everyone,

We're running MS Defender (MDATP) in our environment and have recently seen the dashboard showing an 80% failure rate on what used to be upper 90% success.

Our policy is setup for Login, Enrollment and Recurring Check-In triggers, and to install the wdav.pkg  During this check-in I've configured an Execute Command: "mdatp scan quick" as a sort of workaround to the scheduled scans configuration (I could never get it to execute with the launchd method).

 

This was going well until about a month ago, we started seeing failures on most of our devices.  The message from Jamf is generic :

"Installation failed. The installer reported: installer: Package name is Microsoft Defender ATP
installer: Upgrading at base path / installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “wdav.pkg”.)"

Pulling the install log indicates it's attempting to downgrade.. and I can't explain why unless their "Custom Schema" JSON file on Github is invalid.

What i've been able to observe so far is the specific version being referenced in the error file is also referenced in their JSON schema.

What I can't explain is why my test mac has successfully ran this policy while many others have failed, and so suddenly.  The versions running on our Macs are much more recent than what i'm seeing referenced in the logs, so I understand the message.. I just can't understand why it's even attempting.

I planned on opening a ticket with MS but wanted to see if anyone here has seen something similar or could explain what's going on.

 

preinstall com.microsoft.wdav begin [2022-01-13 10:38:53 -0600] 1166
[StopAllRaw] OS_ARCH : x86_64
INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/..
correlation id=CORRELATION-ID-HERE
Generation installation id
Installation id: INSTALLATION-ID
Product version detected from build.plist
is_new_install=0, bundle_version=101.47.27, branch=release/2108-2
No proxy configured for telemetry URL
"version": "101.47.27", "severity": "I", "code":"InstallStarted", "text":"is_new_install='0', bundle_version='101.47.27', branch='release/2108-2', package='/Library/Application Support/JAMF/Downloads/wdav.pkg'"}]}
{"actions":[{"$type":"SignatureUpdateAction","versionId":"86869","updateUri":"https://cdn.x.cp.wd.microsoft.com/av64bit"}]}[LogTelemetry] result=0
[ERROR] Downgrade from 101.54.16 to 101.47.27 is not permitted

 

2 REPLIES 2

Louie
New Contributor II

Have you tried curling the WDAV package straight from MS?  that is what I do, and then just run a developer ID check on it.

Rmac
New Contributor

Hey Louie,

Are you referring to Step 3: 

Configure Microsoft Defender for Endpoint settings

I had not tried that.. I just simply copied the JSON file, created a new one in something like Notepad++ or equivalent text editor and uploaded that way.   I can give that a go, but if you're referring to some other process then I'm afraid i'm at a loss.