Policy to allow selected users to disable real-time

[Phil Dye 0]

I'm struggling to work out how to define a policy to allow a specific group of users (who I can identify OK with a dynamic group) to disable real-time file system protection, where it's enabled at a higher policy level.

At a high-group in the tree I assign a default "Antivirus - balanced" policy, which enables real-time file system protection, but if I create a deeper policy, then I can't seem to "set" it with a value that allows users to disable it; only that I can enforce it to be enabled or disabled.

Am I approaching this wrong?

[Marcos 5,070]

You would need to have a group of these users and with a policy assigned that has the "Start Real-time file system protection automatically" enabled but it cannot have a flag to be applied or enforced by the policy.

Only users with administrator rights can manually disable real-time protection if not set by a policy.

[Phil Dye 0]

But if I don't set it to be applied or enforced, then the policy is not set at all? (the tooltip shows "setting is not set", and there's no (1) lozenge against the category tree).

[Marcos 5,070]

You have basically 2 options:

1, Enable override mode in a policy that is applied on endpoints. You can select users from AD who will be able to override the policy and pause protection or change other settings.

2, Create a new group with the privileged users in it and a policy which will not have the above mentioned setting set by a policy bounded to this group. These users will be able to pause protection without using override mode provided that they have administrator privileges.