Blog Post

Microsoft Defender for Endpoint Blog
2 MIN READ

Introducing tamper protection for exclusions

JoshBregman's avatar
JoshBregman
Icon for Microsoft rankMicrosoft
Jan 12, 2023

Update: Tamper protection for exclusions is generally available as of April 24.

 

Tamper protection is a feature of Microsoft Defender for Endpoint that prevents antivirus tampering and misconfiguration by malicious apps and actors. Microsoft Intune and Microsoft Defender for Endpoint integrate to allow enterprises to selectively enable and disable tamper protection in their environment.  

 

We received customer feedback to expand protections. One of the most requested features for tamper protection is protection of antivirus exclusions. With that in mind, the Microsoft Defender team has implemented new functionality that allows (path, process, and extension) to be protected when deployed with Intune.

 

Microsoft has enabled functionality that protects path, process, and extension exclusions deployed through Intune. When tamper protection is combined with the DisableLocalAdminMerge setting exclusions and DisableLocalAdminMerge will be protected by tamper protection. This means that any exclusions configured by other processes will be explicitly ignored and only intended exclusions are applicable on the device.

 

If you manage exclusions exclusively through Intune with both tamper protection and DisableLocalAdminMerge enabled, Intune will continue to deliver your exclusions, and those exclusions together with DisableLocalAdminMerge will be protected by tamper protection. If you are managing exclusions outside of Intune this setting will affect your environment. Exclusions will not work as they did before.

 

How do I tell if a client has the new functionality enabled?

During the rollout, there might be devices in your environment that have this new functionality enabled, and others that don’t. During troubleshooting, you can use the registry to determine if a device has exclusions being protected by tamper protection. Under the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\Features, find the value TPExclusions. A value of 1 signifies exclusions are being protected. A value of 0 or the absence of the value indicates it’s not yet enabled. Changing this key has no effect on the protection being enabled. It should be used as an indicator only.

 

Do my clients need any updates?

This functionality will be deployed via the Defender Platform update beginning with version 4.18.2111.*. Make sure your devices are on this platform version or later to take advantage of the new functionality. Once devices are on the platform, we will be slowly enabling the feature as we monitor the impact (which we expect to be low) on devices during the rollout.

 

Does Group Policy still override settings coming from Intune?

With this new functionality, it ensures that ONLY settings coming from Intune and its related processes are effective on the device.

 

We will continue to update this post as new information becomes available. If you have questions or comments for the Defender team, reply to this post.  Thanks to Matt Call and the Intune team for all of their partnership in building this important security capability.

Learn more about tamper protection

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Updated May 09, 2024
Version 5.0
  • AJP_UK's avatar
    AJP_UK
    Brass Contributor

    Thanks for the reply 🙂

     

    We have laptops with:

    ManagedDefenderProductType=7

    EnrollmentStatus=3

    TPExclusions=0

     

    And servers with:

    ManagedDefenderProductType=7

    EnrollmentStatus=43

    TPExclusions=0

     

    7 = Device is Co-managed by both SCCM and Intune

    3 = Don't know what this means?

    43 = managed by both SCCM and MDE

     

    Will try and figure out what's happening with them.

  • If a device is co-managed with the security workload enabled for Intune, the device is Intune managed (for security) and is MDM enrolled so the above should apply.  

  • AJP_UK's avatar
    AJP_UK
    Brass Contributor

    Hi,

     

    The Docs from Microsoft say Intune only or SCCM only. This would seem to indicate that devices which are co-managed would not be covered by this new feature, is that right? For example, a co-managed device with it's security workload flipped over to Intune and managed with Intune Endpoint Security profiles for Defender would not be applicable for this?

     

    Thanks.

  • keith-mad's avatar
    keith-mad
    Copper Contributor

     

    You may want to fix the policy setting name. 'Disable Local Admin Merge' followed by the two configurable settings being 'Enable Local Admin Merge' and 'Disable Local Admin Merge'.

     

    What is what here?

  • AlanSchmarrM365's avatar
    AlanSchmarrM365
    Copper Contributor

    Hi Josh,

     

    Thank you for sharing, I would like to explore options for server management and recommended future state.

     

    1. To confirm this feature will only work for Intune-managed exclusions?
    2. Using the current state for managing servers via Intune, e.g. unable to manage domain controllers, only able to manage windows servers. Would there be future support for domain controllers and other server types?
    3.  Will this also support ASR exclusions?
    4. ASR rules management is currently not supported for servers via Intune, will this be supported in the future?
      1. If we use the current state of managing servers via Intune, what is the preferred method for managing ASR rules for servers?

     

     

  • VNJoe's avatar
    VNJoe
    Iron Contributor

    It's high impact.  Making problems for people WITHOUT Intune.