Windows Defender Exploit Guard should be enabled on machines - False Positive

Ron de Frates 20

I configured my VM running Win11 Enterprise as follows, but am still getting flagged for this.

Note: I installed the Guest Configuration extension on this same server (see last screen shot).

Thanks

User's image

User's image

User's image

Raja Pothuraju 43,660 Reputation points Microsoft External Staff Moderator

2025-06-30T01:57:48.5966667+00:00

Hello Ron de Frates,

I see that your VM "5xserver" is showing up under healthy resources, which means the Guest Configuration extension has been provisioned successfully. If it appears under unhealthy resources, that would indicate it was not provisioned correctly.
Ron de Frates 20 Reputation points

2025-06-30T16:42:01.3633333+00:00

There are no servers that show up under the "Unhealthy" tab for Guest Configuration Extension. Therefore, we can both agree that the Guest Configuration is not the issue.

Rather, the problem is with the "Defender Exploit Guard should be enabled". Why does Defender flag this when it appears to be configured correctly (see screenshots in the previous message.

2 answers

Ron de Frates 20 Reputation points

2025-07-01T22:21:13.2766667+00:00

I was able to resolve this by enabling Controlled Folder via the Group Policy Management Editor interface. I originally used the PowerShell Command per https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders?WT.mc_id=Portal-Microsoft_Azure_Security:

Set-MpPreference -EnableControlledFolderAccess Enabled

This did not work per the documentation, so I had to set this manually as follows:
Please sign in to rate this answer.
Raja Pothuraju 43,660 Reputation points Microsoft External Staff Moderator

2025-07-02T07:59:46.19+00:00

Ron de Frates, thank you for sharing the solution here. This will help others in the community who are looking for a similar solution.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Ron de Frates 20 Reputation points

2025-07-03T18:23:13.44+00:00
I'm still getting "Windows Defender Exploit Guard should be enabled on machines" despite:

enabling Controlled Folder

Guest Configuration extension has been provisioned successfully

ASR rules

Please advise.
Please sign in to rate this answer.
Raja Pothuraju 43,660 Reputation points Microsoft External Staff Moderator

2025-07-04T04:21:58.72+00:00

Hello Ron de Frates,

I would still say that the resource is in a healthy state. There’s no need to enable anything further, as the Guest Configuration extension has been provisioned successfully.

To discuss this in more detail, let’s connect offline over a Teams call. Please share your email address and your availability via private message.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Your answer