Under policies and Non Compliances - I see Windows Defender Exploit Guard to be enabled, I have enabled it but I still see the Non Compliance

Question

Under policies and Non Compliances - I see Windows Defender Exploit Guard to be enabled, I have enabled it but I still see the Non Compliance

Sanket Kalyankar 0

I have a Policy Non Compliance: ES-2 Use modern anti-malware software and under details I get Windows Defender Exploit Guard to be enabled. I followed documentation and enabled the Windows Defender Exploit Guard, along with Controlled Folder protection enabled.

But my non compliance flag does not go away, what do I do?

Siva shunmugam Nadessin 3,425 Reputation points Microsoft External Staff Moderator

2025-11-20T00:56:20.5466667+00:00
Hello Sanket Kalyankar,

It sounds like you're encountering a compliance issue even after enabling Windows Defender Exploit Guard and Controlled Folder Protection, which should typically address the "ES-2 Use modern anti-malware software" policy. Here are a few things you can check or try to resolve this:

Ensure All Features Are Properly Configured:

Windows Defender Exploit Guard has several components. Verify that all necessary features are enabled and configured as required for compliance:

Exploit Protection (for both system-wide and individual app settings)

Controlled Folder Protection

Network Protection

Attack Surface Reduction (ASR) rules

Sometimes, missing a single setting can prevent compliance from being recognized.

Check Group Policy and Security Settings:

Ensure that the settings you’ve enabled are not being overridden by Group Policy or other security settings in your environment. Specifically, check the Group Policy settings under Computer Configuration > Administrative Templates > Windows Components > Windows Defender Exploit Guard.

Also, verify that Windows Defender is not being disabled by any other management tool like Intune, SCCM, or other endpoint management systems.

Check Defender Version and Updates:

Ensure that your Windows Defender is up to date. Sometimes, an outdated version of Windows Defender can lead to incorrect reporting of compliance status.

Validate Compliance with a Security Baseline:

If you’re using Azure Security Center or another compliance tool, check the security baseline applied to your systems. Ensure the baseline requires all the relevant components (Exploit Guard, Controlled Folder Protection, etc.) to be enabled, and that there are no exceptions or misconfigurations.

Check Windows Defender Logs:

Look at the Event Viewer logs under Applications and Services Logs > Microsoft > Windows > Windows Defender for any relevant logs that might provide insight into why the flag remains.

Perform a Compliance Remediation Scan:

You may need to initiate a compliance scan or remediation from your compliance tool to reassess the system’s compliance state after making the necessary changes.

Reboot the System:

After enabling or configuring the Defender settings, a reboot might be necessary for the changes to take effect.

Azure Security Center or Compliance Policy Sync:

If you’re managing this through Azure Security Center or Azure Policy, ensure that the system has properly synced and that the latest compliance state is reflected. Sometimes, compliance policies take time to reflect changes.

If none of the above works, it might be helpful to look at the exact error or message that your compliance tool or policy is showing. That can provide more context about the specific aspect that’s still out of compliance.

Let me know if you need help navigating any of these steps!

1 answer

Your answer

Answer 1

Hello Sanket Kalyankar,

Follow below steps

1) Verify the anti‑malware solution and state on the VM

Azure ES‑2 expects Microsoft Defender Antivirus (and often Defender for Endpoint) with:

Real‑time protection ON
Signatures updated within ≤24 hours
Optional WDEG components (ASR, Network Protection, CFA) per your baseline

# Defender AV health & signature currency
Get-MpComputerStatus | Select AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled,
                       AntivirusSignatureLastUpdated, NISEnabled, IoavProtectionEnabled
 
# WDEG & CFA/ASR preferences
Get-MpPreference | Select EnableNetworkProtection, EnableControlledFolderAccess,

If any are off/stale:

Set-MpPreference -DisableRealtimeMonitoring $false
Update-MpSignature
Set-MpPreference -EnableNetworkProtection Enabled
# CFA is optional for ES-2; enable only if in your baseline:
Set-MpPreference -EnableControlledFolderAccess Enabled

2) Make sure Azure can see the configuration (extensions/agents)

ES‑2 compliance for Azure VMs depends on these components being present:

Guest Configuration (GC) extension → lets Azure Policy audit OS settings
(If using Defender for Cloud endpoint assessments) Azure Monitor Agent (AMA) and required data collection
(If your initiative maps to MDE signals) Microsoft Defender for Endpoint (MDE) onboarding and reporting

Validate extensions from Azure:

# Guest Configuration extension on the VM
Get-AzVMExtension -ResourceGroupName <RG> -VMName <VM> |
If GC/AMA/MDE are missing, deploy them (see Step 4 remediation).

Check the Azure Policy assignment details

Common causes of persistent Non‑compliant:

Assignment effect is AuditIfNotExists/DeployIfNotExists but the managed identity doesn’t have rights → remediation never runs
Wrong parameters/scope (subscription/RG/OS filters) → target VM not covered
Policy requires MDE/endpoint protection data but MDE isn’t onboarded

Verify in Azure Policy (Portal):

Assignments → open your ES‑2 initiative → confirm System‑assigned managed identity is ON.
Permissions → The assignment’s identity needs Contributor (or appropriate) on the VM/RG.
Parameters → OS type, resource filters, workspace links (if applicable) are correct.
Compliance tab → select your VM → Create remediation task for non‑compliant definitions and monitor task status.

4) Remediate from Azure (examples)

A. Re‑install Guest Configuration on the VM (if missing):

Set-AzVMExtension -ResourceGroupName <RG> -VMName <VM> `
  -Name "GuestConfiguration" -Publisher "Microsoft.GuestConfiguration  -Name "GuestConfiguration" -Publisher "Microsoft.GuestConfiguration" `

B. Ensure AMA is present (for Defender for Cloud endpoint assessment):

New-AzVMExtension -ResourceGroupName <RG> -VMName <VM> `  -Name "AzureMonitorWindowsAgent" -Publisher "Microsoft.Azure.Monitor" `  -Type "AzureMonitorWindowsAgent" -TypeHandlerVersion "1.10"

C. MDE onboarding (if your ES‑2 mapping expects MDE signals): Use your org’s onboarding package (local script or MSI) and confirm the device appears in the MDE portal and is reporting. [Microsoft...r Endpoint | SharePoint]

After remediation, run a compliance scan (Guest Configuration will evaluate on its next cycle) and expect status changes within a few hours; endpoint protection assessments can lag until the next heartbeat.

5) Force a fresh VM‑side compliance posture (optional but helpful)

# Confirm Defender AV final state again
Get-MpComputerStatus | Select AntivirusEnabled, RealTimeProtectionEnabled, AntivirusSignatureLastUpdated 
# If policy depends on Defender for Cloud endpoint state, ensure AMA is sending
#

Why the flag didn’t clear after WDEG/CFA

ES‑2 is about “modern anti‑malware” coverage + recognized telemetry (Defender AV/MDE), not just WDEG features.
Without Guest Configuration/AMA/MDE and a successful Policy remediation/evaluation, Azure doesn’t mark the VM compliant—even if the OS setting is correct.

Let us know the above steps helped.

Siva shunmugam Nadessin 3,425 Reputation points Microsoft External Staff Moderator

2025-12-12T10:26:37.0766667+00:00

Hello Sanket Kalyankar,

Just checking in to see if the solution shared above help you to resolve your issue. please reach out to us If you have any further questions.

Thanks

Share via

Under policies and Non Compliances - I see Windows Defender Exploit Guard to be enabled, I have enabled it but I still see the Non Compliance

1 answer

Your answer