question

PrachiSharma-9958 avatar image
0 Votes"
PrachiSharma-9958 asked CandyLuo-MSFT commented

How to change registry key value for Tamper Protection in windows defender

Hi, I am unable to change a registry key value to disable Tamper protection in Windows, getting an "access denied" error.

The registry key is: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection"

I have tried to change the ownership, but I am still getting an "Access denied" error if I try to take full control of the key.

windows-10-generalwindows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi ,

Before we go further, I would like to confirm the following questions:

1.What's the OS version of your windows 10? 1909 or 20H2?

2.How did you modify the registry key? Via PowerShell or Registry Editor?

3.Have you taken ownership the key and give the account full control permission?

In my lab(OS version is 1909), I have gain full permission to edit registry key and it works fine. As picture below:

117015-2.png

117034-1.png

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




2.png (53.5 KiB)
1.png (97.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PrachiSharma-9958 avatar image
0 Votes"
PrachiSharma-9958 answered

Hi,
Thank you for your reply.

The OS version is 2004. The build is 19041.928.

I have also tried OS version 20H2.

I was trying to modify the registry key via registry editor (In administrator mode).

I have followed the steps provided but was not able to take ownership of the registry key.
It gives the following error:
117043-1.png



1.png (61.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT edited

Hi ,

Thanks for clarify more details.

I have tested in my lab with 20H2 OS version and found the same error message: Unable to set new owner on Features. Access is denied.

Based on my research, it seems that for newer windows 10 OS version (e.g. 2004 and later), we need to manually change it or use Intune to change it in bulk.

For your reference:

How do you enable Tamper Protection via powershell / cmd / registry?

How can I turn tamper protection on/off?

117065-1.png

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



1.png (25.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PrachiSharma-9958 avatar image
0 Votes"
PrachiSharma-9958 answered CandyLuo-MSFT commented

Thank you for your quick confirmation.

I was doing this because I wanted to run windows defender scans programmatically.

Users should have options to choose actions for infected files like quarantine or remove or report only.

Hence relevant registry values have been modified through code:
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction"

But then later I understood that this Tamper Protection is ignoring the changes made for that reg entry.

Can you suggest something over this?
Because users won't be able to modify the things manually from GUI and intune also not a proper fit here.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi PrachiSharma,

I also used a 21H1 machine to do a test and found the same behavior. According to our test results, it seems we really cannot change the key through the registry or PowerShell and we can only use Intune to change it in bulk.

The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10. You may report this to Microsoft directly with the Feedback Hub app.

For more information on using the app, click here:

Send feedback to Microsoft with the Feedback Hub app

0 Votes 0 ·

Hi,

Thank you for the information.

If Tamper protection key cannot be changed through registry or Powershell, Can you please suggest a way to modify
ThreatSeverityDefaultAction key without Tamper protection ignoring the changes?

The registry key is:
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction"

0 Votes 0 ·

As far as I know, tamper protection prevents your security settings from being changed through Registry Editor or PowerShell. So we still cannot bypass Tamper protection.

However, I will do more research and find whether there is any workaround.

1 Vote 1 ·