Forum Discussion
Enabling Tamper Protection with Tenant Attach
I am trying to determine how, if possible, to enable Tamper Protection but the various combination of current portals, features, and their preview/production status is making it difficult to follow. ...
- I don't think it means that policies are not applying. Have you tried simulating any attacks to test for the policies? Do you see any events being reported in Eventvwr or Advanced hunting for the same?
You should be able to assign a tamper protection directly against a collection enabled for cloud sync through tenant attach. Just use the relevant profile that you should be able to find under Endpoint security AV. You can continue using rest of the Defender policies through ConfigMgr.
Thanks, I can confirm that I've been able to deploy Tamper Protection and policies in this way. Also, I've been able to enable Tamper Protection through the Microsoft 365 Defender portal. But either way, won't Tamper Protection being turned on cause my CM antimalware policies from being ignored because of how CM applies those policies?
- Rest of the Defender policies should continue to apply from ConfigMgr. Are you seeing otherwise?
- The policies do apply as shown in Get-MpPreference and Get-MPComputerStatus. I guess the way that Tamper Protection is described in that it ignores registry and group policy changes, my understanding was that ConfigMgr antimalware policies would also be ignored because of how they apply.
So just to confirm, the ConfigMgr antimalware policies should be 100% compatible and configurable when using Tamper Protection? Does it matter whether Tamper Protection is enabled through MEM via Tenant Attach, or instead through the Microsoft 365 Defender portal?- I've found Windows Defender event ID 5013, which gets logged every time Tamper Protection blocks a change from taking place. With that getting shipped into my central logging I can see that ConfigMgr antimalware policies are causing this to trigger with every group policy refresh, with messages such as:
Tamper Protection Ignored a change to Microsoft Defender Antivirus.
Value: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection\DisableOnAccessProtection = 0x0()
I'm now switching the test back to get its antimalware policies from MEM, to see if that change the number or frequency of 5013 events. But this seems to indicate that ConfigMgr antimalware policies, or at least some of them, are not compatible with the user of Tamper Protection.
