Oct 18 2022 11:57 AM - edited Jun 11 2024 05:45 AM
UPDATE, SEP-2023: Please contact MS Support and ask to enable EDR Exclusions in your tenant.
UPDATE, 2 JUN-2024: EDR Exclusions still in Private Preview. Must request this to be enabled by MS Support
The process to add EDR exclusion is not helping anyone, but wasting time and resources.
Current Process:
2019 Server
1 - Customer ID Issue - query taking longer then expected (32sec) with MDAV and MDE onboarded 2019Server. Passive mode shows no change. Uninstall MDAV, no change. Offboard machine (removes MsSense) query improves to 20sec. Install MDAV, query is the same. Onboard machine, query back to 32 secs
2 - Open "Unified Enterprise" support ticket for MDE explaining that MsSense is causing slowness and need to add an exclusion. List the exact paths and the two processes that need exclusion.
3 - MS Support: We will need you to run the MDE Client Analyzer to collect the needed logs to troubleshoot your issue.
Download MDEClientAnalyzerPreview.zip from here:
Unzip to C:\MDE
Extract contents to "C:\MDE\MDEClientAnalyzerPreview"
From an elevated CMD prompt, run: "C:\MDE\MDEClientAnalyzerPreview\MDEClientAnalyzer.cmd" -c -d -v
When completed, send us "C:\MDE\MDEClientAnalyzerPreview\MDEClientAnalyzerResult.zip"
4 - Upload logs on Friday
5 - Monday - ask for update
6 - Tuesday - ask for update
7 - Wednesday - ask for update
8 - Thursday - Jump on a call with MS support collect logs for PG group
9 - Friday - ask if PG group has update.
10 - Following Monday - ask if PG group has update. Escalate to TAM
11 - following Tue, Wed, Thur, - ask if PG group has update.
12 - following Thursday - Support provides reg key to add and wait 5 mins to test.
13 - Following Thursday - 5 sec improvement in query. ask for next steps
14 - Following, following Monday - support reports asking PG group for update.
15 - Following, following Tuesday - Support reports PG group added 4 more process EDR exclusion and one path exclusion. Now run the logging above and resubmit.
Why so many steps and log collection for a simple EDR exclusion?
Oct 19 2022 12:47 AM
@MDEUserNot sure if you have run the Performance analyzer for Microsoft Defender Antivirus to understand what is causing the compute bottleneck?
Nov 13 2022 05:28 AM
@askvpb We also have issues with MSSense on multiple production servers, we have to respond quickly to this (its production!) so I don't think Microsoft understand this. The delay in processing a support call to get an exclusion is not a real world solution.
Until, this is fixed we have no option but to disable MSSense which is not a great solution.
Ray.
Nov 18 2022 08:11 AM
Apr 17 2023 08:38 AM