Best Method to Prevent Users from Modifying Settings Policy Using Intune

This post targeted to see and learn about the Prevent Users from Modifying Settings Policy. We will enable the Prevent users from modifying settings Policy Using Intune. To enable this Policy, we will use the Configuration Profiles from Intune.

Prevent Users from modifying settings Policy prevents users from modifying the Exploit protection settings section within the Windows Security settings. This policy is designed to restrict users from making changes to the Exploit protection settings in the Windows Security settings.

Exploit protection is a security feature in Windows that helps prevent malicious software from exploiting vulnerabilities in applications or the operating system itself. By modifying these settings, users may potentially disable or weaken this protection, making their system more vulnerable to security threats.

Enforcing this policy ensures that users do not have the ability to tamper with these critical security settings, providing an additional layer of defense against potential exploits. It is commonly used in enterprise or organizational environments where strict security policies are in place to maintain the integrity and security of the Windows operating system.

Patch My PC

By implementing this policy, administrators can ensure that the Exploit protection settings remain consistent across all user accounts and prevent unauthorized modifications that could potentially compromise system security.

Windows CSP Details DisallowExploitProtectionOverride

Let’s discuss Windows CSP Details for this Policy setting DisallowExploitProtectionOverride. The policy setting prevents users from modifying the Exploit protection settings. It helps maintain a secure computing environment and mitigate potential security risks associated with tampering or disabling Exploit protection settings.

CSP URI – ./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride

Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 1
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 1

Prevent Users from Modifying Settings Policy Using Intune

Follow the steps stated below to Enable the Prevent users from modifying settings Policy Using Intune:

Adaptiva
  • Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
  • Select Devices > Windows > Configuration profiles > Create a profile.

In Create Profile, Select Windows 10 and later in Platform, and Select Profile Type as Settings catalog. Click on Create button.

PlatformProfile Type
Windows 10 and laterSettings Catalog
Table1 – Best Method to Prevent Users from Modifying Settings Policy Using Intune
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 2
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 2

In the Basics tab pane, enter a name for the Policy as Prevent users from modifying settings Policy. If you like, you can enter the Description for the Policy, then select Next.

Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 3
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 3

Now in Configuration settings, click Add Settings to browse or search the catalog for the settings you want to configure.

Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 4
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 4

On the Settings Picker windows, if you search by the keyword Disallow Exploit, you will see Windows Defender Security Center, as shown below in the image, select this.

On selecting the option shown below in the image, you will see one setting name, Disallow Exploit Protection Override. After adding your setting, click the cross mark at the right-hand corner, as shown below.

Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 5
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 5

After this, in the Windows Defender Security Center, set the Local users cannot make changes in the exploit protection settings area to Enabled, as shown below in the image.

Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 6
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 6

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next. Under Assignments, In Included Groups, click Add Groups, and then choose Select Groups to include one or more groups. Click Next to continue.

Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 7
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 7

Now in Review + Create, review your settings. When you click on Create, your changes are saved, and the profile is assigned.

Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 8
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 8

A notification will appear automatically in the top right-hand corner with a message. You can see that the Policy “Prevent users from modifying settings Policy” was created successfully. If you check, the Policy is available in the Configuration profiles list.

Your groups will receive your profile settings when the devices check in with the Intune service. The Policy applies to the device.

Intune Reporting

From Intune Portal, you can view the Intune settings catalog profile report, which provides an overview of device configuration policies and deployment status.

To monitor the policy assignment, select the Policy from the list of Configuration Profiles, and here you can check the device and user check-in status. If you click View Report, additional details are displayed.

Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 9
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 9

Intune MDM Event Log

Intune event ID 813 or 814 indicates that a string policy has been applied to Windows 10 or 11 devices. In addition, you can view the exact value of the Policy that is being applied to those devices.

You can check the Event log path to confirm this – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

The log states the following – MDM PolicyManager: Set policy int, Policy: (DisallowExploitProtectionOverride), Area: (WindowsDefenderSecurityCenter), EnrollmentID requesting merge: (4009A089-4FBA-482B-9D17-9E5A8428CB98), Current User: (Device), Int: (0x1), Enrollment Type: (0xD), Scope: (0x0).

Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 10
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 10

If you look in the event viewer log above, you will get some important information like Area and Enrollment ID that will help you detect the registry path. Please refer to the below for this information:

AreaPolicyInt ValueScopedEvent ID
WindowsDefenderSecurityCenterDisallowExploitProtectionOverride1Device813
Table2 – Best Method to Prevent Users from Modifying Settings Policy Using Intune

You can use information from the above table to REGEDIT.exe on a target computer to view the registry settings that store group policy settings. These settings are located in the registry path.

  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\4009A089-4FBA-482B-9D17-9E5A8428CB98\default\Device\WindowsDefenderSecurityCenter

After navigating the above path in the Registry Editor, you will find the registry with the name DisallowExploitProtectionOverride. Refer to the table and image below.

Registry NameValue Data
DisallowExploitProtectionOverride1
Table3 – Best Method to Prevent Users from Modifying Settings Policy Using Intune
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 11
Best Method to Prevent Users from Modifying Settings Policy Using Intune Fig. 11

Author

Abhinav Rana is working as an SCCM Admin. He loves to help the community by sharing his knowledge. He is a B.Tech graduate in Information Technology.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.