Saturday 3 October 2020

Defender Tampering protection policy MEM CM Tenant Attach Preview

Introduction

Currently in Preview, the Tamper Protection profile for Tenant Attached devices is another convenient and powerful weapon available to the IT administrator.  The job of protecting your users' devices from malicious attack and nefarious manipulations and controls - it's a difficult job indeed but made a little easier with this new feature.

Tamper protection will not stop a user with administrator privileges from changing settings in Windows security, but it will stop an app from changing settings.  And it does prevent changing related registry settings.  Tamper protection can be manually turned on or off in Windows Settings\Update & Security\Windows Security. Clicking on "Open Windows Security" and then selecting Virus & threat protection exposes the Virus & threat protection settings heading.  From here you can click on Manage settings and switch Tamper protection on or off.


This is convenient however we cannot expect users to do this themselves - on the contrary the IT administrator needs a way of taking over this feature so that the slide switch is off limits to users, even if they are local administrators.  And so if you have Tenant Attached configured in your environment, and if you utilise Windows Defender Antivirus as your security tool, then please read on and discover how I did enable and test this important preview feature in Intune, enabling full ownership of the tamper protection feature.

How To Enable Tampering Protection Control.

Firstly you will need to create a collection in SCCM and add your devices to the collection.  I name my collection Defender Tamper Protected Devices


After creating the collection and adding your devices, access the collection's properties and select the Cloud Sync tab.  Select the option to "Make this collection available to assign Endpoint security policies from Microsoft Endpoint Manager admin center".




I then check my CMGatewaySyncUploadWorker.log file and verify my Tenant Attach synchronisation has succeeded.


I then sign into my Microsoft Endpoint Manager admin center portal and navigate to Home\Endpoint Security\Antivirus


Nearly there, I click on Create Policy and select Windows 10 and Windows Server (ConfigMgr) as the Platform and Windows Security experience (preview) as the Profile.


Clicking on Create presents the Create profile page.  I call my profile Defender Tamper Policy and click on Next. 



In the Configuration settings page I select Enabled next to the Enable tamper protection to prevent Microsoft Defender being disabled.


Clicking on Next and then clicking on Select collections to include, I do ensure that the Defender Tamper Protected Devices collection is selected.

Click on Next and then Create to deploy the policy.

Finally, in order to test on a client - ensure the client, that belongs to the targeted collection, has all current policies.  We can do this within the Microsoft Endpoint Manager Admin Center console by navigating to Home\Devices\All Devices.  Click on the device and select Sync machine policy.




Now if we open Settings on the client and search for Windows Security, select Windows Security and select Virus & threat protection and then select Manage Settings under Virus & threat protection settings - the Tamper Protection setting has been removed completely.  It should be under Automatic sample submission but it has disappeared. In this capture you can see a device, that is on the left, not in our collection and with the Tamper Protection slide visible.  On the right you can see a device that is in our collection and thus has the Tamper Protection slide removed.


And a bit of an update: now you might get the above result, or alternatively you may see the Tamper Protection visible, but greyed out.  Remember this is a preview feature and so the coding will change.  Two days later I retested on another device, and this time it was greyed out.



I hope you enjoyed reading this article








No comments:

Post a Comment