cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Option to block adding exclusions by (local) administrator on (managed) endpoint

nwagenaar
Copper Contributor

‎Jan 18 2023 12:17 AM

‎Jan 18 2023 12:17 AM

Option to block adding exclusions by (local) administrator on (managed) endpoint

Lately we've seen on blogposts that hackers add exclusions to a compromised system to circumvent Endpoint protection and to further penetrate networks and-or other systems.

 

With Microsoft Defender a local administrator can add exclusions without any issues on a managed endpoint.  Even the registry option "HideExclusionsFromLocalAdmins" isn't an option considering exclusions can still be added using the Add-MpPreference command within PowerShell. Nor is there an alert in the Security Dashboard raised when a local administrator adds an exclusion.

 

The only workaround is to use Advanced Hunting (which is only part of P2) - with an hourly schedule to raise alerts - or to use external monitoring and alerting based upon event id 5007 using the source Windows Defender.

 

Most managed endpoint protection solutions from other vendors have an option to block this using policies, Microsoft Defender for Endpoint/Business/Cloud doesn't have a setting to block this even though this is considered a standard option on most managed protection solutions from other vendors and we request this feature to be added and to be configured using Intune, GPO, etc.

 

1,822 Views
0 Likes
2 Replies
Reply
2 Replies
HotCakeX

‎Mar 25 2024 01:29 PM

‎Mar 25 2024 01:29 PM

Re: Option to block adding exclusions by (local) administrator on (managed) endpoint

Local "Administrator", emphasis on the word "Administrator".

There shouldn't be a local administrator on managed endpoints. They must be managed via EntraID and no local Admin account should be present.

Administrators have the power to control the security of a device and can disable security features at their discretion.

Please see this article for more info
Microsoft Security Servicing Criteria for Windows
https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
0 Likes
Reply
Joe Stocker

‎Mar 30 2024 12:19 PM

‎Mar 30 2024 12:19 PM

Re: Option to block adding exclusions by (local) administrator on (managed) endpoint

In the Microsoft Intune admin center, select Endpoint security > Antivirus. Choose Create Policy, or modify an existing Microsoft Defender Antivirus policy. Under the Configuration settings, select the drop-down next to Disable Local Admin Merge and select Disable Local Admin Merge

Or, using GPO, In the Group Policy Management Editor go to Computer configuration and select Administrative templates. Expand the tree to Windows components > Microsoft Defender Antivirus. Double-click Configure local administrator merge behavior for lists and set the option to Disabled.
Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-local-policy-ov...
0 Likes
Reply