Forum Discussion
Solved
Enabling Tamper Protection with Tenant Attach
I am trying to determine how, if possible, to enable Tamper Protection but the various combination of current portals, features, and their preview/production status is making it difficult to follow. ...
- I don't think it means that policies are not applying. Have you tried simulating any attacks to test for the policies? Do you see any events being reported in Eventvwr or Advanced hunting for the same?
If I understand this correctly then I think the problem here is that you have multiple policy providers. Why not deploy all Defender policies using ConfigMgr and tamper protection using tenant attach?
My only concern with that has been the 5013 events "Tamper Protection Ignored a change to Microsoft Defender Antivirus", and this still occurs even when only ConfigMgr policies are applied.
After going through each of the events I do not see any cases where we're trying to actually change a setting that Tamper Protection protects. The event must be happening because ConfigMgr is trying to write those registry values, even though they would match what is already there.
My initial concern about not being able to apply ConfigMgr antimalware policies looks to be answered. It can apply them, just that it will also attempt to apply configurations that Tamper Protection will prevent and log the 5013 events even if you are just duplicating the secure defaults Tamper Protection is trying to protect. And there appears to way to have ConfigMgr antimalware policies apply without generating the event so it becomes known, but expected behavior instead of something that could more reliably be alerted on.
After going through each of the events I do not see any cases where we're trying to actually change a setting that Tamper Protection protects. The event must be happening because ConfigMgr is trying to write those registry values, even though they would match what is already there.
My initial concern about not being able to apply ConfigMgr antimalware policies looks to be answered. It can apply them, just that it will also attempt to apply configurations that Tamper Protection will prevent and log the 5013 events even if you are just duplicating the secure defaults Tamper Protection is trying to protect. And there appears to way to have ConfigMgr antimalware policies apply without generating the event so it becomes known, but expected behavior instead of something that could more reliably be alerted on.