Fixing Tamper Protection Blob Error 65000 using Microsoft Intune

-



I recently encountered an issue with enabling Tamper protection as part of the implementation of Defender for Endpoint in one of customer's tenant and considering how unusual the behavior was and how I didn't encounter this before, I decide to blog my experience. If you have been battling with the same issue, then this blog may just help you.

There are multiple ways to enable Tamper protection as part of MDE. One can enable at a tenant level using Defender portal or do it using Intune. I normally choose the Intune, especially when dealing with endpoints to maintain uniformity with other Defender policies being managed by Intune. However, in this particular instance, the issue started cropping randomly on some endpoints where tamper protection would not enable and throw an error code 65000, as show below.

Additionally, the status in Defender will report as Unknown instead of reporting Active or something else like EDR in block mode to suggest that Defender Antimalware is running on the device at the very least.


To give a little more background on the scenario, I was onboarding Windows 10 devices to MDE in passive mode until the active running 3rd party security solution was removed. The end objective was that once the 3rd party security solution was removed, Defender will switch to Active mode and MDE components would take over. While this process worked in general, it did leave me with some devices not switching Defender to active mode after 3rd party security solution was removed. Since the issue was so random, it wasn't easy to pinpoint the root cause. On further investigation, I stumbled on the Microsoft's official learn document, which stated that if the Defender AV is not enabled and the service not running, then it can interfere with the MDE onboarding process in general and additionally result in tamper protection not getting enabled. The behavior matched my particular issue as I could see that Defender AV was not available as an active provider. (Special thanks to Ryan Sturm for assistance and sharing his experience in MDE Microsoft Security Connection Program)



I checked for the registries in question, and voila. There was a registry configured for disabling AntiSpyware.



According to Microsoft, the registry in question was deprecated long back.


I verified and there was no active policy in customer's environment that was configuring the registry. My only hypothesis is that, the registry would have been configured at the time of the implementation of the 3rd party security solution on the endpoints and the policy was removed later without actually removing the registry in question.

The fix..

Well the fix is actually simple. While there is an option to change the value of disable AntiSpyware from 1 to 0, I decided to get rid of the registry altogether. Why have a deprecated setting in place, right?

As I am pushing the Defender policies under Co-management using Intune, I setup a remediation Powershell script to detect and remove the registry in question. Here are the scripts -

Detection Script - 

$check=Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" | 

Select-Object -ExpandProperty DisableAntiSpyware -ErrorAction SilentlyContinue

If(($check -eq $null) -and ($check.length -eq 0)) {

         "Key does not exist"

           exit 0

          }

 Else{

 "Key exists"

exit 1

          }

Remediation Script -

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Force


Following are the steps to set things up in Intune -

1. Sign-in to the Microsoft Intune admin portal.

2. Browse to Devices > Scripts & remediations – Create

3. Fill the relevant fields like Name, Description, Publisher etc and hit Next.

4. In the settings section, select the relevant Detection and Remediation scripts as covered above in the blog.

5. Run the script in 64-bit Powershell and leave the rest of the options to Default.

6. Assign the scope tags if required and then assign to device based group. You can define the frequency of the execution of the Proactive script. I set to run Daily against production devices to suit my requirements.

Script in action

The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. The execution results can be monitored directly in Intune under Devices > Scripts & remediations<Name of your Remediation Script>. You can switch to Device Status and then add the columns to get more details related to Pre & Post Detection and Remediation status.



Status in Defender Portal should switch from Unknown and tamper protection should enable as well. In my case EDR in block mode after MDE onboarding in Passive mode.

Hope the above helps and saves you some time dealing with similar issues in the future. Thanks for reading. Until next time..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more