In environments where third‑party AV (e.g., Symantec) is intentionally the primary protection on certain servers (such as domain controllers), the “Hosts not being properly protected” escalation creates recurring, non‑actionable noise.

Today, the only portal action available is Remove, which clears the current hit but does not persist. When the next health check runs and Defender real‑time protection is still disabled by design, the escalation reopens.

Request:

Add a persistent, per‑host suppression / “expected configuration” option for this escalation.

Desired behavior:

Scoped to individual hosts

Scoped to this escalation only

Requires an admin note for auditability

Does not affect other escalations or detections

Value:

This keeps the escalation effective for workstations and genuinely misconfigured systems, while eliminating repeated noise for servers with intentional third‑party AV configurations. It improves signal‑to‑noise and aligns with real‑world data center security models without reducing protection.