Not a question or discussion but just an information for all Change Auditor customers, since I have not been able to find this information anywhere yet.
We are using the Changeauditor Agent (NPSRVHost.exe 7.1.16014.0) on Domaincontrollers running Server 2019. Those Domaincontrollers are monitored by MS Defender for Endpoint (DATP). On each reboot of the DC a "Protected Process Tampering" alert for services.exe arises which made our SOC really nervous.
We are very sure that this process tampering is caused by the NPSRVHost service. As workaround you can alter the start type for that service from automatic to automatic (delayed). This will prevent new alerts at a reboot. Maybe one of the developers can take a look into this and explain the behaviour or at least note that behaviour in the documentation.