cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to Prevent Admin Users to add exclusions via Registry? + Simple Posh to disable Real-time?

rockypabillore
Brass Contributor

‎Oct 22 2019 06:30 AM

‎Oct 22 2019 06:30 AM

How to Prevent Admin Users to add exclusions via Registry? + Simple Posh to disable Real-time?

So I know this is pretty much a quick "REMOVE ADMIN ACCESS!" answer, but in this case it is not. We'd like to know how to prevent users to exclude extensions, paths, or even processes via Registry.

 

We set our policies via GPO so anyone with user admin or in this case the primary user can just add the simple exclusion so defender excludes it.

 

Also, I'd like to know how everyone else prevents users to disable real-time scanning. We will be getting our Intune up and running but we have to have co-management enabled. This will be at the end of the year. Does Exploit Guard help with this?

3,404 Views
0 Likes
2 Replies
Reply
2 Replies
Thijs Lecomte

‎Oct 23 2019 12:09 AM

‎Oct 23 2019 12:09 AM

Re: How to Prevent Admin Users to add exclusions via Registry? + Simple Posh to disable Real-time?

To not allow the user to disable real-time scanning, Tamper Protection can be used. But this is currently only supported by Intune (https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defende...)

For exclusions, I don't think there is much you can do. You could use MDATP to alert you when one of those registry paths have been changed.

PS: Have you looked at CyberArk (https://www.cyberark.com/), this allows you to give the user local admin rights for a few use cases (For example allow them to update Java), but don't give them full blown rights
0 Likes
Reply
rockypabillore

‎Oct 31 2019 09:19 AM

‎Oct 31 2019 09:19 AM

Re: How to Prevent Admin Users to add exclusions via Registry? + Simple Posh to disable Real-time?

I knew this coming in, but right now it is only available for 1903 and up. :(

we're mostly 1809.
1 Like
Reply