Built-in protection helps guard against ransomware
Applies to:
Microsoft Defender for Endpoint helps prevent, detect, investigate, and respond to advanced threats, such as ransomware attacks. Next-generation protection and attack surface reduction capabilities in Defender for Endpoint were designed to catch emerging threats. In order for the best protection from ransomware and other cyberthreats to be in place, certain settings must be configured. Built-in protection can help by providing you with default settings for better protection.
Tip
You don't have to wait for built-in protection to come to you! You can protect your organization's devices now by configuring these capabilities:
What is built-in protection, and how does it work?
Built-in protection is a set of default settings that are rolling out to help ensure your devices are protected. These default settings are designed to protect devices from ransomware and other threats. Initially, built-in protection includes turning tamper protection on for your tenant, with other default settings coming soon. For more information, see the Tech Community blog post, Tamper protection will be turned on for all enterprise customers.
| Phase | What happens |
|---|---|
| Built-in protection is rolling out | Customers are receiving notification that built-in protection is coming. If it's not already configured, tamper protection is turned on for customers who have Defender for Endpoint Plan 2 or Microsoft 365 E5. |
| Built-in protection becomes available for your tenant | You'll be notified that your tenant is about to receive built-in protection and when tamper protection will be turned on (if it's not already configured). |
| Built-in protection arrives | Tamper protection is turned on for your tenant, and is applied to your organization's Windows devices. You can opt out or change your built-in protection settings. |
| After built-in protection has arrived | Whenever new devices are onboarded to Defender for Endpoint, built-in protection settings are applied to any new devices running Windows. You can always change your built-in protection settings. |
Note
Built-in protection sets default values for Windows and Mac devices. If endpoint security settings change, such as through baselines or policies in Microsoft Intune, those settings override the built-in protection settings.
What does the notification look like?
You can expect to receive two types of notifications:
A message center post indicating that built-in protection is coming soon; and
A banner in the Microsoft Defender portal that resembles the following image:
Your notification tells you when built-in protection is coming and when tamper protection will be turned on (if it's not already configured) for your tenant.
Can I opt out?
You can opt out of built-in protection by specifying your own security settings. For example, if you prefer to not have tamper protection turned on automatically for your tenant, you can explicitly opt out.
Caution
We do not recommend turning tamper protection off. Tamper protection provides you with better ransomware protection. You must be a global administrator or security administrator to perform the following procedure.
Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.
Go to Settings > Endpoints > Advanced features.
Set Tamper protection to On (if it's not already on), and then select Save preferences. Don't leave this page yet.
Set Tamper protection to Off, and then select Save preferences.
Can I change built-in protection settings?
Built-in protection is a set of default settings. You aren't required to keep these default settings in place. You can always change your settings to suit your business needs. The following table lists tasks your security team might perform, along with links to learn more.
| Task | Description |
|---|---|
| Determine whether tamper protection is turned on for your organization | 1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in. 2. Go to Settings > Endpoints > Advanced features > Tamper protection. |
| Manage tamper protection tenant wide using the Microsoft Defender portal (https://security.microsoft.com) | 1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in. 2. Go to Settings > Endpoints > Advanced features. 3. Set Tamper protection to On (recommended) or Off. 4. Select Save preferences. See Manage tamper protection for your organization using Microsoft Defender portal. |
| Set tamper protection settings for some, but not all, devices | Use endpoint security policies and profiles that are applied to specific devices. See the following articles: - Manage tamper protection using Microsoft Intune - Manage tamper protection using tenant attach with Configuration Manager, version 2006 |
| Turn tamper protection on or off on an individual Windows device | 1. On your Windows device, select Start, and start typing Security. 2. In the search results, select Windows Security. 3. Select Virus & threat protection > Virus & threat protection settings. 4. Set Tamper Protection to On (recommended) or Off. If the device is onboarded to Defender for Endpoint, or the device is managed in the Microsoft Intune admin center, those settings will override user settings on the individual device. See Manage tamper protection on an individual device. |
| Turn tamper protection on or off manually on a Mac | 1. On your Mac, open Finder, and go to Applications > Utilities > Terminal. 2. In Terminal, type the following command sudo mdatp config tamper-protection enforcement-level --value (chosen mode).See Manual configuration. |
| Change tamper protection settings using a Mobile Device Management (MDM) solution | To change the tamper protection mode using an MDM, go to the configuration profile and change the enforcement level in Intune or JAMF. The configuration profile set with the MDM will be your first point of reference. Any settings defined in the profile will be enforced on the device, and built-in-protection default settings won't override these applied settings. |
| Temporarily disable tamper protection on a device for troubleshooting purposes | See the following articles: - Get started with troubleshooting mode in Microsoft Defender for Endpoint - Troubleshooting mode scenarios in Microsoft Defender for Endpoint |
See also
- Tech Community blog: Tamper protection will be turned on for all enterprise customers
- Protect security settings with tamper protection
- Manage endpoint security in Microsoft Intune
- Configure Microsoft Defender for Endpoint in Intune
- Manage Microsoft Defender for Endpoint on devices with Microsoft Intune
- Responding to ransomware attacks
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for