Introducing tamper protection for exclusions

Tamper protection is a feature of Microsoft for Endpoint that prevents antivirus tampering and misconfiguration by malicious apps and actors. Microsoft Intune and Microsoft for Endpoint integrate to allow enterprises to selectively enable and disable tamper protection in their environment.

We received customer feedback to expand protections. One of the most requested features for tamper protection is protection of antivirus exclusions. With that in mind, the Microsoft team has implemented new functionality that allows (path, process, and extension) to be protected when deployed with Intune.

Microsoft has enabled functionality that protects path, process, and extension exclusions deployed through Intune. When tamper protection is combined with the DisableLocalAdminMerge setting exclusions and DisableLocalAdminMerge will be protected by tamper protection. This means that any exclusions configured by other processes will be explicitly ignored and only intended exclusions are applicable on the device.

If you manage exclusions exclusively through Intune with both tamper protection and DisableLocalAdminMerge enabled, Intune will continue to deliver your exclusions, and those exclusions together with DisableLocalAdminMerge will be protected by tamper protection. If you're managing exclusions outside of Intune this feature won't affect your environment. Exclusions will continue to work as they did before.

How do I tell if a client has the new functionality enabled?

During the rollout, there might be devices in your environment that have this new functionality enabled, and others that don't. During , you can use the registry to determine if a device has exclusions being protected by tamper protection. Under the registry key HKLMSOFTWAREMicrosoftWindows DefenderFeatures, find the value TPExclusions. A value of 1 signifies exclusions are being protected. A value of 0 or the absence of the value indicates it's not yet enabled. Changing this key has no effect on the protection being enabled. It should be used as an indicator only.

Do my clients need any updates?

This functionality will be deployed via the Defender Platform update beginning with version 4.18.2111.*. Make sure your devices are on this platform version or later to take advantage of the new functionality. Once devices are on the platform, we will be slowly enabling the feature as we monitor the impact (which we expect to be low) on devices during the rollout.

Does Group Policy still override settings coming from Intune?

With this new functionality, it ensures that ONLY settings coming from Intune and its related processes are effective on the device.

We will continue to update this post as new information becomes available. If you have questions or comments for the Defender team, reply to this post.  Thanks to Matt Call and the Intune team for all of their partnership in building this important security capability.

Learn more about tamper protection


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.