Forum Discussion
Option to block adding exclusions by (local) administrator on (managed) endpoint
Lately we've seen on blogposts that hackers add exclusions to a compromised system to circumvent Endpoint protection and to further penetrate networks and-or other systems. With Microsoft Defende...
In the Microsoft Intune admin center, select Endpoint security > Antivirus. Choose Create Policy, or modify an existing Microsoft Defender Antivirus policy. Under the Configuration settings, select the drop-down next to Disable Local Admin Merge and select Disable Local Admin Merge
Or, using GPO, In the Group Policy Management Editor go to Computer configuration and select Administrative templates. Expand the tree to Windows components > Microsoft Defender Antivirus. Double-click Configure local administrator merge behavior for lists and set the option to Disabled.
Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus?view=o365-worldwide
Or, using GPO, In the Group Policy Management Editor go to Computer configuration and select Administrative templates. Expand the tree to Windows components > Microsoft Defender Antivirus. Double-click Configure local administrator merge behavior for lists and set the option to Disabled.
Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus?view=o365-worldwide