VirTool:Win32/DefenderTamperingRestore is triggering / recurring almost everyday on alot of devices

Question

Hello,

We've recently moved from our main AV that we used for years to microsoft defender. So we've uninstalled our main AV on all of our devices, and we pushed / enabled microsoft defender via our RMM platform and on 80% of our devices everything runs / is fine.

BUT, on 20% of our devices we are getting a lot of alerts regarding : "AV: Defender VirTool:Win32/DefenderTamperingRestore" this alert has to do with a reg key : hklm\software\policies\microsoft\windows defender\\DisableAntiSpyware , in the alert (see picture) it's not clear to see what is causing this alert, so it's driving us crazy, because it's triggering almost daily.

After a lot of research this alert is not that dangerous it's indicating that microsoft defender did a self-heal and rested itself. But we are getting tons of these alerts, with no clue where it's coming from or what the cause is.

Anybody here that had/has the same issue? Or knows a solution