Here is my issue! On the base image Defender is ON but real-time protection is disabled and tamper protection is disabled. When the pool is imaged with the snapshot from that base though, the clones show "Virus and Threat Protection : status 'Unknown'" until I toggle Tamper Protection back on and then off again. Then it shows everything is fine.
WHAT is causing this to happen and how can I get a consistent result between the base image and the clones ? I confirmed they are having the same GPOs applied so its not an errant GPO changing the settings.
I may be wrong, but I would expect this because when the clone is made with realtime protection off, the OS doesn't know the status and hence it will be shown s Unknown. Turning it back on gets the status and remains in that even though its turned off after a while.
Any reasons to turn off realtime protection? I would say its as good (or bad) as not enabling Defender.
Our current AV provider isnt properly registering with MS Security Center. They say this is by design because they dont provide a 'local AV scanner' and that defender should be used for on-demand and scheduled scans that require signature based scanning. My intention was to put Defender in a state where it could still be used in that scenario but not be doing real-time scanning since the cloud AV is effectively doing that.
I should say our current and soon to be former AV. But until it is former I have to deal with mitigating the performance impact of the 3rd party AV not disabling defender and the two often fighting with each other - NOT ideal for my end users!