I am trying to make my own EPO policy for VSE to control High-Risk Processes during On-Access scanning. We are possibly seeing in issue while installing Windows Updates with On-Access scanning slowing down the machines. If we disable On-Access via the systems VSE console the updates install fast. While looking through the default High-Risk Processes in the My Default policy I noticed "wuauclt.exe" being flagged as high-risk. I made a new policy removed this one item, set up a test box, applied the new policy to this one test machine and don't see the change in the VSE settings.
The issue was that I did not change the "On-Access Default Processes" policy to "Configure different scanning policies for high-risk, low-risk, and default processes". Without changing this setting any change I made to high-risk and low-risk policies were ignored because the On-Access Default Processes policy wasn't allowing the high and low risk policies to be changed.