[Bug][harness] Adding admin-approved antivirus exclusions for our own tools via device-management policy wrong

Resolved 💬 3 comments Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): cloud-iam

Why this is a false positive

The flagged action—creating a configuration policy that defines antivirus exclusions and assigning it tenant-wide—is the standard, intended mechanism for whitelisting an organization's own approved tools across managed endpoints, and was performed by an authenticated administrator with explicit consent to act tenant-wide. The block treats a routine, documented IT administration task as a threat to "shared infrastructure," but adding exclusions for known-good internal assets is a normal endpoint-management operation, not an attack on the security stack. The model already has properly admin-consented permissions for exactly this API, and the user, an admin, directly confirmed the scope and standing authorization, so the request is in-scope and the block is a false positive.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-12T21:07:59.367Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

Creating an Intune configuration policy and assigning it to all enrolled devices is a persistent, tenant-wide modification to shared infrastructure that weakens Defender coverage across every managed device — the user asked to "whitelist all OUR stuff" on the machines being worked on, but did not sp

Environment: Claude Code, Linux. · Work domain: cloud-iam

---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗