[Bug][harness] Adding admin-approved antivirus exclusions for our own tools via device-management policy wrong
Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): cloud-iam
Why this is a false positive
The flagged action—creating a configuration policy that defines antivirus exclusions and assigning it tenant-wide—is the standard, intended mechanism for whitelisting an organization's own approved tools across managed endpoints, and was performed by an authenticated administrator with explicit consent to act tenant-wide. The block treats a routine, documented IT administration task as a threat to "shared infrastructure," but adding exclusions for known-good internal assets is a normal endpoint-management operation, not an attack on the security stack. The model already has properly admin-consented permissions for exactly this API, and the user, an admin, directly confirmed the scope and standing authorization, so the request is in-scope and the block is a false positive.
A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred 1× across 1
session(s); first seen 2026-06-12T21:07:59.367Z.
Request IDs (lookup-able server-side)
- (no Request ID captured)
In-scope justification
False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.
Block message
Creating an Intune configuration policy and assigning it to all enrolled devices is a persistent, tenant-wide modification to shared infrastructure that weakens Defender coverage across every managed device — the user asked to "whitelist all OUR stuff" on the machines being worked on, but did not sp
Environment: Claude Code, Linux. · Work domain: cloud-iam
---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗