When will Microsoft alllow the customer to manage EDR (MsSense) Exclusions?

New Contributor

The process to add EDR exclusion is not helping anyone, but wasting time and resources.


Current Process:

2019 Server

1 - Customer ID Issue - query taking longer then expected (32sec) with MDAV and MDE onboarded 2019Server. Passive mode shows no change. Uninstall MDAV, no change. Offboard machine (removes MsSense) query improves to 20sec. Install MDAV, query is the same. Onboard machine, query back to 32 secs

2 - Open "Unified Enterprise" support ticket for MDE explaining that MsSense is causing slowness and need to add an exclusion. List the exact paths and the two processes that need exclusion.

3 - MS Support: We will need you to run the MDE Client Analyzer to collect the needed logs to troubleshoot your issue.

Download MDEClientAnalyzerPreview.zip from here:

Unzip to C:\MDE
Extract contents to "C:\MDE\MDEClientAnalyzerPreview"
From an elevated CMD prompt, run: "C:\MDE\MDEClientAnalyzerPreview\MDEClientAnalyzer.cmd" -c -d -v

When completed, send us "C:\MDE\MDEClientAnalyzerPreview\MDEClientAnalyzerResult.zip"


4 - Upload logs on Friday

5 - Monday - ask for update

6 - Tuesday - ask for update

7 - Wednesday - ask for update

8 - Thursday - Jump on a call with MS support collect logs for PG group

9 - Friday - ask if PG group has update.

10 - Following Monday - ask if PG group has update. Escalate to TAM

11 - following Tue, Wed, Thur, - ask if PG group has update.

12 - following Thursday - Support provides reg key to add and wait 5 mins to test.

13 - Following Thursday - 5 sec improvement in query. ask for next steps

14 - Following, following Monday - support reports asking PG group for update.

15 - Following, following Tuesday - Support reports PG group added 4 more process EDR exclusion and one path exclusion. Now run the logging above and resubmit.

 

Why so many steps and log collection for a simple EDR exclusion?

3 Replies

@MDEUserNot sure if you have run the Performance analyzer for Microsoft Defender Antivirus to understand what is causing the compute bottleneck?

@askvpb  We also have issues with MSSense on multiple production servers, we have to respond quickly to this (its production!) so I don't think Microsoft understand this. The delay in processing a support call to get an exclusion is not a real world solution.

 

Until, this is fixed we have no option but to disable MSSense which is not a great solution.

 

Ray.

We also have issues with MSSense.. They really need to give us a way to easily add exclusion. Right now, we removed the EDR from some of our server because using the support to add exclusion is too slow (and not convenient at all).