Troubleshooting Defender ATP installation on macOS Catalina (10.15.1)

I’ve recently changed to a new macOS machine and updated it to 10.15.1 prior to enrolling into Intune.

Our Intune instance automatically deploys and configures Defender ATP, however defender ATP has failed to initialize on my new machine.

Initial error displayed:

No License found
Looks like your organization does not have a license for Microsoft 365 Enterprise subscription
Contact your administrator for help

This was strange as Defender ATP is working on my other macOS device
Regardless I have validated the license in the Azure console and locally on the device by running
mdatp --health

licensed : true

At this point I’ve decided to re-install Defender ATP (re-install instructions here https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources#uninstalling)

Re-install did not help.
The version we were publishing via Intune was rather dated (100.42.86)
So I decided to republish a newer version (100.72.15).
The 100.72.15 version has changed the error message but defender still did not work

We’re having trouble starting this app
Please hold for a moment…

Health check has now regressed with the following error message

daniil@Daniils-MBP Downloads % mdatp --health
Failed to connect to daemon. Reason: Connection refused

My first assumption was an issue with Kernel Extensions, which are located in

/Library/Extensions/

Looking inside the wdavkext.kext has returned some interesting results

daniil@Daniils-MBP Tools % ls /Library/Extensions/wdavkext.kext/Contents/Resources/Tools 
check_state.sh	load.sh		wdavconfig.py
installlib.sh	uninstall	wdavstate.py

There are a number of scripts inside the extension package that can be used to check on the health of the Defender status

Running check_state.sh returned the following results

daniil@Daniils-MBP Tools % /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/check_state.sh
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
KEXT wdavkext is loaded
DAEMON wdavdaemon is not running
PROCESS Microsoft Defender is running, pid=2665
PROCESS wdavdaemon is not running

Looks like the issue is with wdavdaemon

macOS houses instructions for LaunchDaemons in the following directory

/Library/LaunchDaemons

daniil@Daniils-MBP Tools % ls /Library/LaunchDaemons
com.microsoft.OneDriveUpdaterDaemon.plist
com.microsoft.autoupdate.helper.plist
com.microsoft.fresno.plist
com.microsoft.fresno.uninstall.plist
com.microsoft.office.licensingV2.helper.plist
com.microsoft.teams.TeamsUpdaterDaemon.plist

The plist responsible for weavedaemon is com.microsoft.fresno.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>KeepAlive</key>
	<true/>
	<key>Label</key>
	<string>com.microsoft.fresno</string>
	<key>Program</key>
	<string>/Applications/Microsoft Defender ATP.app/Contents/Resources/wdavdaemon.app/Contents/MacOS/wdavdaemon</string>
	<key>RunAtLoad</key>
	<true/>
	<key>WorkingDirectory</key>
	<string>/Applications/Microsoft Defender ATP.app/Contents/Resources/wdavdaemon.app/Contents/MacOS</string>
</dict>
</plist>

Loading and starting the daemon has not proven successful

launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist
launchctl start com.microsoft.fresno

However that did create a number of events in the system.log file

Oct 31 22:49:26 Daniils-MBP com.apple.xpc.launchd[1] (com.microsoft.fresno): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Oct 31 22:49:30 Daniils-MBP com.apple.xpc.launchd[1] (com.microsoft.fresno[3162]): Service exited with abnormal code: 13
Oct 31 22:49:30 Daniils-MBP com.apple.xpc.launchd[1] (com.microsoft.fresno): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Oct 31 22:49:36 Daniils-MBP com.apple.xpc.launchd[1] (com.microsoft.fresno[3163]): Service exited with abnormal code: 5

Looking at Crash Reports in the console application I saw a large number of wdavdaemon crashes

Looking through the crash log the following line caught my attention

terminating with uncaught exception of type boost::filesystem::filesystem_error: boost::filesystem::create_directory: Permission denied: "/Library/Logs/Microsoft/mdatp/rotated"

Further investigation identified that the permissions for /Library/Logs/Microsoft have been changed. After resetting the permissions to the Microsoft folder Defender ATP has sprung back into life.