How to Prevent Admin Users to add exclusions via Registry? + Simple Posh to disable Real-time?

%3CLINGO-SUB%20id%3D%22lingo-sub-926893%22%20slang%3D%22en-US%22%3EHow%20to%20Prevent%20Admin%20Users%20to%20add%20exclusions%20via%20Registry%3F%20%2B%20Simple%20Posh%20to%20disable%20Real-time%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-926893%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20know%20this%20is%20pretty%20much%20a%20quick%20%22REMOVE%20ADMIN%20ACCESS!%22%20answer%2C%20but%20in%20this%20case%20it%20is%20not.%20We'd%20like%20to%20know%20how%20to%20prevent%20users%20to%20exclude%20extensions%2C%20paths%2C%20or%20even%20processes%20via%20Registry.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20set%20our%20policies%20via%20GPO%20so%20anyone%20with%20user%20admin%20or%20in%20this%20case%20the%20primary%20user%20can%20just%20add%20the%20simple%20exclusion%20so%20defender%20excludes%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20I'd%20like%20to%20know%20how%20everyone%20else%20prevents%20users%20to%20disable%20real-time%20scanning.%20We%20will%20be%20getting%20our%20Intune%20up%20and%20running%20but%20we%20have%20to%20have%20co-management%20enabled.%20This%20will%20be%20at%20the%20end%20of%20the%20year.%20Does%20Exploit%20Guard%20help%20with%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-926893%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDefender%20Advanced%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Egpo%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGroup%20Policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%20Commands%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-933492%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Prevent%20Admin%20Users%20to%20add%20exclusions%20via%20Registry%3F%20%2B%20Simple%20Posh%20to%20disable%20Real-time%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-933492%22%20slang%3D%22en-US%22%3ETo%20not%20allow%20the%20user%20to%20disable%20real-time%20scanning%2C%20Tamper%20Protection%20can%20be%20used.%20But%20this%20is%20currently%20only%20supported%20by%20Intune%20(%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Defender-ATP%2FTamper-protection-in-Microsoft-Defender-ATP%2Fba-p%2F389571%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Defender-ATP%2FTamper-protection-in-Microsoft-Defender-ATP%2Fba-p%2F389571%3C%2FA%3E)%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20exclusions%2C%20I%20don't%20think%20there%20is%20much%20you%20can%20do.%20You%20could%20use%20MDATP%20to%20alert%20you%20when%20one%20of%20those%20registry%20paths%20have%20been%20changed.%3CBR%20%2F%3E%3CBR%20%2F%3EPS%3A%20Have%20you%20looked%20at%20CyberArk%20(%3CA%20href%3D%22https%3A%2F%2Fwww.cyberark.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.cyberark.com%2F%3C%2FA%3E)%2C%20this%20allows%20you%20to%20give%20the%20user%20local%20admin%20rights%20for%20a%20few%20use%20cases%20(For%20example%20allow%20them%20to%20update%20Java)%2C%20but%20don't%20give%20them%20full%20blown%20rights%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-968848%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Prevent%20Admin%20Users%20to%20add%20exclusions%20via%20Registry%3F%20%2B%20Simple%20Posh%20to%20disable%20Real-time%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-968848%22%20slang%3D%22en-US%22%3EI%20knew%20this%20coming%20in%2C%20but%20right%20now%20it%20is%20only%20available%20for%201903%20and%20up.%20%3A(%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3Ewe're%20mostly%201809.%3C%2FLINGO-BODY%3E
Highlighted
Contributor

So I know this is pretty much a quick "REMOVE ADMIN ACCESS!" answer, but in this case it is not. We'd like to know how to prevent users to exclude extensions, paths, or even processes via Registry.

 

We set our policies via GPO so anyone with user admin or in this case the primary user can just add the simple exclusion so defender excludes it.

 

Also, I'd like to know how everyone else prevents users to disable real-time scanning. We will be getting our Intune up and running but we have to have co-management enabled. This will be at the end of the year. Does Exploit Guard help with this?

2 Replies
Highlighted
To not allow the user to disable real-time scanning, Tamper Protection can be used. But this is currently only supported by Intune (https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defende...)

For exclusions, I don't think there is much you can do. You could use MDATP to alert you when one of those registry paths have been changed.

PS: Have you looked at CyberArk (https://www.cyberark.com/), this allows you to give the user local admin rights for a few use cases (For example allow them to update Java), but don't give them full blown rights
Highlighted
I knew this coming in, but right now it is only available for 1903 and up. :(

we're mostly 1809.