Forum Discussion
Enabling Tamper Protection with Tenant Attach
I am trying to determine how, if possible, to enable Tamper Protection but the various combination of current portals, features, and their preview/production status is making it difficult to follow. Most of my confusion is from how Tamper Protection will affect my current method of deploying policies and where those policies need to come from to work with Tamper Protection.
My devices are domain joined, managed by Configuration Manager 2111, and are being uploaded into Endpoint Manager through Tenant Attach. Tenant Attach was recently enabled for Endpoint Analytics but it is not configured with any co-management.
CM is onboarding devices to Defender for Endpoint using "Microsoft Defender for Endpoint Policies", except for where we are manually using the preview installer (not MMA method) on down-level Windows Server 2012 R2 and 2016 devices.
I am not using the "Enable security setting management" preview feature in the Microsoft 365 Defender portal under Settings, Endpoints, Enforcement Scope since that states it is for devices not yet enrolled in MEM.
CM antimalware policies are used to target various device collections and define scan schedules, exclusions, and all other available settings. Group policy is used to configure Attack Surface Reduction rules and exclusions.
1. My understanding is that I will need to change the policies currently being applied through CM antimalware policy and group policy ASR rules into a cloud source so that Tamper Protection does not cause them to be ignored - is that correct?
2. Assuming the answer to #1 is "yes", where/how is the best place to redefine these policies in this situation? Do I enable my CM device collections available for assigning policies through MEM admin center (CM device collection properties, Cloud Sync tab) and then recreate my CM antimalware policies in MEM portal to achieve the same result except I could then enable Tamper Protection?
- I don't think it means that policies are not applying. Have you tried simulating any attacks to test for the policies? Do you see any events being reported in Eventvwr or Advanced hunting for the same?
- You should be able to assign a tamper protection directly against a collection enabled for cloud sync through tenant attach. Just use the relevant profile that you should be able to find under Endpoint security AV. You can continue using rest of the Defender policies through ConfigMgr.
- Thanks, I can confirm that I've been able to deploy Tamper Protection and policies in this way. Also, I've been able to enable Tamper Protection through the Microsoft 365 Defender portal. But either way, won't Tamper Protection being turned on cause my CM antimalware policies from being ignored because of how CM applies those policies?
- Rest of the Defender policies should continue to apply from ConfigMgr. Are you seeing otherwise?
