Troubleshoot kernel extension issues in Microsoft Defender for Endpoint on macOS

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

This article provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender for Endpoint on macOS.

Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they're allowed to run on the device.

If you didn't approve the kernel extension during the deployment/installation of Microsoft Defender for Endpoint on macOS, the application displays a banner prompting you to enable it:

RTP disabled screenshot.

You can also run mdatp health. It reports if real-time protection is enabled but not available. This indicates that the kernel extension isn't approved to run on your device.

mdatp health
...
real_time_protection_enabled                : false
real_time_protection_available              : true
...

The following sections provide guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender for Endpoint on macOS.

Managed deployment

See the instructions corresponding to the management tool that you used to deploy the product:

Manual deployment

If less than 30 minutes have passed since the product was installed, navigate to System Preferences > Security & Privacy, where you have to Allow system software from developers "Microsoft Corporation".

If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device:

Security and privacy window after prompt expired screenshot.

In this case, you need to perform the following steps to trigger the approval flow again.

  1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension wasn't approved to run on the device. However, it will trigger the approval flow again.

    sudo kextutil /Library/Extensions/wdavkext.kext
    
    Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
    Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
    Diagnostics for /Library/Extensions/wdavkext.kext:
    
  2. Open System Preferences > Security & Privacy from the menu. (Close it first, if it's opened.)

  3. Allow system software from developers "Microsoft Corporation"

  4. In Terminal, install the driver again. This time the operation will succeed:

    sudo kextutil /Library/Extensions/wdavkext.kext
    

    The banner should disappear from the Defender application, and mdatp health should now report that real-time protection is both enabled and available:

    mdatp health
    
    ...
    real_time_protection_enabled                : true
    real_time_protection_available              : true
    ...