I have some questions regarding Defender ATP/Defender AV. We currently have policies set via GPO to everyone. We have ring 1 that are on-boarded, McAfee removed, and we are getting full scan scheduled. Ring 2 however, are on-boarded but for some reason still getting the full scan policy. We thought that Defender would be 'asleep' until McAfee is removed. Is this the case here? or the GPO that is applied to everyone is allowing Defender to be full on active?
MsMpEng.exe is running constantly, We've reimaged a device with out on-boarding and process is not even running or eating Memory and CPU.