Troubleshooting Defender ATP installation on macOS Catalina (10.15.1)

I’ve recently changed to a new macOS machine and updated it to 10.15.1 prior to enrolling into Intune.

Our Intune instance automatically deploys and configures Defender ATP, however defender ATP has failed to initialize on my new machine.

Initial error displayed:

No License found
Looks like your organization does not have a license for Microsoft 365 Enterprise subscription
Contact your administrator for help

This was strange as Defender ATP is working on my other macOS device
Regardless I have validated the license in the Azure console and locally on the device by running
mdatp --health

licensed : true

At this point I’ve decided to re-install Defender ATP (re-install instructions here

Re-install did not help.
The version we were publishing via Intune was rather dated (100.42.86)
So I decided to republish a newer version (100.72.15).
The 100.72.15 version has changed the error message but defender still did not work

We’re having trouble starting this app
Please hold for a moment…

Health check has now regressed with the following error message

daniil@Daniils-MBP Downloads % mdatp --health
Failed to connect to daemon. Reason: Connection refused

My first assumption was an issue with Kernel Extensions, which are located in


Looking inside the wdavkext.kext has returned some interesting results

daniil@Daniils-MBP Tools % ls /Library/Extensions/wdavkext.kext/Contents/Resources/Tools	uninstall

There are a number of scripts inside the extension package that can be used to check on the health of the Defender status

Running returned the following results

daniil@Daniils-MBP Tools % /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
KEXT wdavkext is loaded
DAEMON wdavdaemon is not running
PROCESS Microsoft Defender is running, pid=2665
PROCESS wdavdaemon is not running

Looks like the issue is with wdavdaemon

macOS houses instructions for LaunchDaemons in the following directory


daniil@Daniils-MBP Tools % ls /Library/LaunchDaemons

The plist responsible for weavedaemon is

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
	<string>/Applications/Microsoft Defender</string>
	<string>/Applications/Microsoft Defender</string>

Loading and starting the daemon has not proven successful

launchctl load /Library/LaunchDaemons/
launchctl start

However that did create a number of events in the system.log file

Oct 31 22:49:26 Daniils-MBP[1] ( Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Oct 31 22:49:30 Daniils-MBP[1] ([3162]): Service exited with abnormal code: 13
Oct 31 22:49:30 Daniils-MBP[1] ( Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Oct 31 22:49:36 Daniils-MBP[1] ([3163]): Service exited with abnormal code: 5

Looking at Crash Reports in the console application I saw a large number of wdavdaemon crashes

Looking through the crash log the following line caught my attention

terminating with uncaught exception of type boost::filesystem::filesystem_error: boost::filesystem::create_directory: Permission denied: "/Library/Logs/Microsoft/mdatp/rotated"

Further investigation identified that the permissions for /Library/Logs/Microsoft have been changed. After resetting the permissions to the Microsoft folder Defender ATP has sprung back into life.