Hi @Saxe ,
I test it in my environment, and deploy this setting to windows 10 with with admin rights:
Enable real-time protection == yes
Allow users on client computers to configure real-time protection settings == no
It shows this settings is managed by your administrator, which means the policy is deployed to the client, and the aim of no one is able to disable real time protection is achieved.
So according to your description, it seems that the client may not receive the policy from MP.
The process is as follows, Point 1, the client gets the policy from MP, compiles it into this xml file,
0: It means a local user never can modify the settings.
Point 2, Endpoint protection agent writes the settings in this xml file to registry.pol.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.