MT.1166 - Local Admin Merge should be disabled
Overview
Checks that local admin merge is disabled to block local exclusions in all assigned Microsoft Defender Antivirus policies.
Local admin policy override allows privilege escalation to bypass security controls, enabling local administrators to add exclusions that weaken endpoint protection.
Remediation action:
- Open Microsoft Endpoint Manager > Endpoint Security > Antivirus
- Edit the relevant Microsoft Defender Antivirus policy
- Enable Disable Local Admin Merge to prevent local overrides
Related links
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1166 |
| Severity | High |
| Suite | Maester |
| Category | Defender |
| PowerShell test | Test-MtMdeDisableLocalAdminMerge |
| Tags | Defender, Maester, MT.1166 |
Source
- Pester test:
tests/Maester/Defender/Test-MtMdeAntivirusPolicy.Tests.ps1 - PowerShell source:
powershell/public/maester/defender/Test-MtMdeDisableLocalAdminMerge.ps1