This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 53%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
Hello,
Found possible issues using the scenario below:
1.
While all settings if opening Virus Protection settings are still ON and greyed out
Another interesting part is with Exclusions, together with "Disable Local Admin Merge" added some Exclusions, hoping that the Unassing policy would help, which is not, the Exclusions stuck in the settings and not being removed.
The question will be the usual one, why and how to fix it?
In my experience, the security baseline is a minimum set of settings that are recommended to be configured. When dealing with Defender and BitLocker settings I will suggest to disable these in the baseline and configure them using Endpoint Security profiles.
@Rahul Jindal [MVP] But settings are now stuck, even if I remove the assignment or add device/user in the "exclude" place, or add in Exclude + push new settings using the same policy but do other way Enable Local Admin Merge, the Real-Time Protection status = False. Same for Exclusions for Defender, the policy is no longer assigned, but Exclusions are present in Virus settings and in the registry. And it is not a 1x single device case, it is all devices.
How are you enabling real time monitoring outside the baseline? Can you share a screenshot?
We have it from Security Baseline. Security Baseline by the way created if follow the Onboarding process in Microsoft 365 E3 from Endpoint wizard. We have dedicated ASR policies under Endpoint security -> Attack surface reduction. Separate Tamper protection. And tested "Microsoft Defender for Endpoint baseline" to add/remove users to see if can somehow trigger the "re-enable". Also working with MS Support, already 4 months working on this issue......... they didn't found by the way that I found :) With MS Support we tested by adding OMA-URI with Integer 1: ./Device/Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring
I did try to remove All profiles from User or Device -> nothing changes,
Then I did try to push a new profile where all the below Defender settings were enabled from Endpoint security -> Antivirus;
The way I found it:
Then started adding one by one, like Security Baseline, sync, getting the report that the profile is deployed, go next, and so on, then when got it on the "Disable Local Admin Merge", then Real-Time Protection set as False.
some delay here with the comments :)
Some more findings, together with the policy were added dummy long character string values of random GUID in the Exclusions sections. With a length of 406 characters, looking like this, the data shown in the print screen below is from the Registry:
Seems this triggers the Real-Time Protection = False
So a quick summary:
Used Antivirus policy from Endpoint Security | Antivirus
Policy deployed 4 parameters:
When this policy is deployed, if run PowerShell, the result of the command: "Get-MpComputerStatus | Select RealTimeProtectionEnabled" -> False
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
Those entries still present in the container:
"ExcludedExtensions"="406 long char guide value as showed in the print screen above"
"ExcludedPaths"="406 long char guide value as showed in the print screen above"
"ExcludedProcesses"="406 long char guide value as showed in the print screen above"
And the solution, where Exclusions are stuck in the Registry, seems the old way PowerShell script via Intune:
$ScriptVersion = "DefenderRealTime_v6";
$checkExcludedExtensions = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" -Name "ExcludedExtensions" -ErrorAction SilentlyContinue
if ($checkExcludedExtensions) {
Write-Host "Defender Real-Time Protection Excluded Extensions found, removing"
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" -Name "ExcludedExtensions" -Force | Out-Null
}
$checkExcludedPaths = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" -Name "ExcludedPaths" -ErrorAction SilentlyContinue
if ($checkExcludedPaths) {
Write-Host "Defender Real-Time Protection Excluded Paths found, removing"
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" -Name "ExcludedPaths" -Force | Out-Null
}
$checkExcludedProcesses = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" -Name "ExcludedProcesses" -ErrorAction SilentlyContinue
if ($checkExcludedProcesses) {
Write-Host "Defender Real-Time Protection Excluded Processes found, removing"
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" -Name "ExcludedProcesses" -Force | Out-Null
}
exit $EXITCODE | Out-Null
Suspecting that need to stop this script after all devices receive it, but, thinking out loud, why not keep it, why users should add anything in the Exclusion when we try to disable it :)
Based on the above, the issue subject of this reported issue must change from "Disable Local Admin Merge | Non-compliant device | Defender" -> "Defender Exclusions stuck in Registry | RealTimeProtection status False | Non-compliant device ".
Found fix I guess, but new question opens "Using Intune, using MS365E3, how to disallow end-users to add Exclusions when end-user do have Administrative rights on the device?"