I noticed today when perusing a machine managed by ManageEngine MDM that the device has Tamper Protection turned off. It says that it is managed by your administrator. Reading up, I see that this is due to the device being AzureAD Joined, which, for some reason, Microsoft then expects this setting to be managed by the MDM.
Since we are using Manage Engine MDM, I went in to see how to configure it in the Profile. Does anyone have a recommendation for the proper configuration based upon the documentation?
Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
The data type is a Signed blob. <--- How to create this in the configuration ui?
Supported operations are Add, Delete, Get, Replace.
Intune tamper protection setting UX supports three states:
- Not configured (default): Does not have any impact on the default state of the device.
- Enabled: Enables the tamper protection feature.
- Disabled: Turns off the tamper protection feature.
<<Dear Microsoft, what are the proper values here for the CSP entry, I don't care what the value is in the UI>>
When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
So trying to figure out the proper configuration for a custom config
Data type: String?? <- Proper Data Type??
Value: Enabled or 1??? <- Proper Value???
Any suggestions would be helpful.