Protect security settings with tamper protection

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

Overview

During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring.

With tamper protection, malicious apps are prevented from taking actions such as:

  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling antivirus (such as IOfficeAntivirus (IOAV))
  • Disabling cloud-delivered protection
  • Removing security intelligence updates

How it works

Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:

  • Configuring settings in Registry Editor on your Windows machine
  • Changing settings through PowerShell cmdlets
  • Editing or removing security settings through group policies

Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; tamper protection is managed by your security team.

What do you want to do?

  1. Turn tamper protection on

  2. View information about tampering attempts.

  3. Review your security recommendations.

  4. Browse the frequently asked questions.

Turn tamper protection on (or off) for an individual machine

Note

Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.

To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to Windows Security and update Security intelligence to version 1.287.60.0 or later. (See Security intelligence updates.)

Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.

If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection.

  1. Click Start, and start typing Defender. In the search results, select Windows Security.

  2. Select Virus & threat protection > Virus & threat protection settings.

  3. Set Tamper Protection to On or Off.

    Here's what you see in the Windows Security app:

    Tamper protection turned on in Windows 10 Home

Turn tamper protection on (or off) for your organization using Intune

If you are part of your organization's security team, and your subscription includes Intune, you can turn tamper protection on (or off) for your organization in the Microsoft Endpoint Manager admin center portal.

You must have appropriate permissions, such as global admin, security admin, or security operations, to perform the following task.

  1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:

  2. Go to the Microsoft Endpoint Manager admin center and sign in with your work or school account.

  3. Select Devices > Configuration Profiles.

  4. Create a profile as follows:

    • Platform: Windows 10 and later

    • Profile type: Endpoint protection

    • Category: Microsoft Defender Security Center

    • Tamper Protection: Enabled

    Turn tamper protection on with Intune

  5. Assign the profile to one or more groups.

Are you using Windows OS 1709, 1803, or 1809?

If you are using Windows 10 OS 1709, 1803, or 1809, you won't see Tamper Protection in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.

Use PowerShell to determine whether tamper protection is turned on

  1. Open the Windows PowerShell app.

  2. Use the Get-MpComputerStatus PowerShell cmdlet.

  3. In the list of results, look for IsTamperProtected. (A value of true means tamper protection is enabled.)

Manage tamper protection with Configuration Manager, version 2006

Important

The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.

If you're using version 2006 of Configuration Manager, you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using a method called tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.

  1. Set up tenant attach. See Microsoft Endpoint Manager tenant attach: Device sync and device actions.

  2. In the Microsoft Endpoint Manager admin center, go to Endpoint security > Antivirus, and choose + Create Policy.

    • In the Platform list, select Windows 10 and Windows Server (ConfigMgr).

    • In the Profile list, select Windows Security experience (preview).

    The following screenshot illustrates how to create your policy:

    Windows security experience in Endpoint Manager

  3. Deploy the policy to your device collection.

Need help? See the following resources:

View information about tampering attempts

Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.

When a tampering attempt is detected, an alert is raised in the Microsoft Defender Security Center (https://securitycenter.windows.com).

Microsoft Defender Security Center

Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.

Review your security recommendations

Tamper protection integrates with Threat & Vulnerability Management capabilities. Security recommendations include making sure tamper protection is turned on. For example, you can search on tamper, as shown in the following image:

Tamper protection results in security recommendations

In the results, you can select Turn on Tamper Protection to learn more and turn it on.

Turn on tamper protection

To learn more about Threat & Vulnerability Management, see Threat & Vulnerability Management in Microsoft Defender Security Center.

Frequently asked questions

To which Windows OS versions is configuring tamper protection is applicable?

Windows 10 OS 1709, 1803, 1809, or later together with Microsoft Defender for Endpoint.

If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview).

Will tamper protection have any impact on third-party antivirus registration?

No. Third-party antivirus offerings will continue to register with the Windows Security application.

What happens if Microsoft Defender Antivirus is not active on a device?

Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features.

How can I turn tamper protection on/off?

If you are a home user, see Turn tamper protection on (or off) for an individual machine.

If you are an organization using Microsoft Defender for Endpoint, you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:

How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?

Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.

For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?

Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups.

Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?

If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See Manage tamper protection with Configuration Manager, version 2006 and Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients.

I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?

Currently, configuring tamper protection in Intune is only available for customers who have Microsoft Defender for Endpoint.

What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?

You won’t be able to change the features that are protected by tamper protection; such change requests are ignored.

I’m an enterprise customer. Can local admins change tamper protection on their devices?

No. Local admins cannot change or modify tamper protection settings.

What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state?

If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.

Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?

Yes. The alert is shown in https://securitycenter.microsoft.com under Alerts.

In addition, your security operations team can use hunting queries, such as the following example:

DeviceAlertEvents | where Title == "Tamper Protection bypass"

View information about tampering attempts.

See also

Help secure Windows PCs with Endpoint Protection for Microsoft Intune

Get an overview of Microsoft Defender for Endpoint

Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint