MT.1166 - Local Admin Merge should be disabled
Overviewβ
Checks that local admin merge is disabled to block local exclusions in all assigned Microsoft Defender Antivirus policies.
Local admin policy override allows privilege escalation to bypass security controls, enabling local administrators to add exclusions that weaken endpoint protection.
Remediation action:β
- Open Microsoft Endpoint Manager > Endpoint Security > Antivirus
- Edit the relevant Microsoft Defender Antivirus policy
- Enable Disable Local Admin Merge to prevent local overrides
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1166 |
| Severity | High |
| Suite | Maester |
| Category | Defender |
| PowerShell test | Test-MtMdeDisableLocalAdminMerge |
| Tags | Defender, Maester, MT.1166 |
Sourceβ
- Pester test:
tests/Maester/Defender/Test-MtMdeAntivirusPolicy.Tests.ps1 - PowerShell source:
powershell/public/maester/defender/Test-MtMdeDisableLocalAdminMerge.ps1