Handle enabled tamper-protection in Win-Defender Autofix startup check

Fixes #1709

Author: HannesWell

bundles/org.eclipse.ui.workbench/Eclipse UI/org/eclipse/ui/internal/WindowsDefenderConfigurator.java

@@ -150,7 +150,7 @@ private enum HandlingOption {
 	 *         Windows Defender is inactive and null if the process was aborted.
 	 */
 	private static Boolean runExclusionCheck(IProgressMonitor m, Optional<Path> installLocation) throws CoreException {
-		SubMonitor monitor = SubMonitor.convert(m, 4);
+		SubMonitor monitor = SubMonitor.convert(m, 5);
 		if (!isWindowsDefenderServiceRunning(monitor.split(1)) || !isWindowsDefenderActive(monitor.split(1))) {
 			return Boolean.FALSE;
 		}
@@ -159,6 +159,12 @@ private static Boolean runExclusionCheck(IProgressMonitor m, Optional<Path> inst
 		if (decision != null) {
 			switch (decision) {
 			case EXECUTE_EXCLUSION -> {
+				if (isExclusionTamperProtectionEnabled(monitor.split(1))) {
+					display.syncExec(() -> MessageDialog.openError(null, "Exclusion failed", //$NON-NLS-1$
+							bindProductName(WorkbenchMessages.WindowsDefenderConfigurator_exclusionFailed_Protected)));
+					savePreference(ConfigurationScope.INSTANCE, PREFERENCE_STARTUP_CHECK_SKIP, "true"); //$NON-NLS-1$
+					return null; // Consider selection as 'aborted' and don't show the dialog again on startup
+				}
 				try {
 					WindowsDefenderConfigurator.excludeDirectoryFromScanning(monitor.split(2));
 					savePreference(ConfigurationScope.INSTANCE, PREFERENCE_EXCLUDED_INSTALLATION_PATH,
@@ -276,6 +282,18 @@ private static List<Path> getExecutablePath() {
 		return List.of(Path.of(eclipseLauncher));
 	}
 
+	private static boolean isExclusionTamperProtectionEnabled(IProgressMonitor monitor) {
+		// https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune?view=o365-worldwide#how-to-determine-whether-antivirus-exclusions-are-tamper-protected-on-a-windows-device
+		try { // Query the Windows Registry
+			List<String> result = runProcess(List.of("powershell.exe", "-Command", //$NON-NLS-1$//$NON-NLS-2$
+					"Get-ItemPropertyValue -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features' -Name 'TPExclusions'"), //$NON-NLS-1$
+					monitor);
+			return result.size() == 1 && "1".equals(result.get(0)); //$NON-NLS-1$
+		} catch (IOException e) {
+			return false;
+		}
+	}
+
 	private static boolean isWindowsDefenderServiceRunning(IProgressMonitor monitor) {
 		// https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-service?view=powershell-7.4
 		// https://learn.microsoft.com/en-us/dotnet/api/system.serviceprocess.servicecontrollerstatus?view=dotnet-plat-ext-8.0

bundles/org.eclipse.ui.workbench/Eclipse UI/org/eclipse/ui/internal/WorkbenchMessages.java

@@ -614,6 +614,7 @@ public class WorkbenchMessages extends NLS {
 	public static String WindowsDefenderConfigurator_statusInactive;
 	public static String WindowsDefenderConfigurator_statusCheckFailed;
 	public static String WindowsDefenderConfigurator_exclusionFailed;
+	public static String WindowsDefenderConfigurator_exclusionFailed_Protected;
 
 	// ==============================================================================
 	// Editor Framework

bundles/org.eclipse.ui.workbench/Eclipse UI/org/eclipse/ui/internal/messages.properties

@@ -586,6 +586,7 @@ WindowsDefenderConfigurator_runExclusionFromPreferenceButtonLabel=Run exclusion
 WindowsDefenderConfigurator_statusInactive=Windows Defender is not active on this computer.
 WindowsDefenderConfigurator_statusCheckFailed=Failed to retrieve Windows Defender status.
 WindowsDefenderConfigurator_exclusionFailed=Failed to exclude {0} from being scanned by Windows Defender.
+WindowsDefenderConfigurator_exclusionFailed_Protected=Cannot exclude {0} from being scanned by Windows Defender.\nTamper protection for antivirus exclusions is enabled.
 
 # ==============================================================================
 # Editor Framework