This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Applies to:
Platforms
Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities.
Tamper protection is part of anti-tampering capabilities that include standard protection attack surface reduction rules. Tamper protection is an important part of built-in protection.
When tamper protection is turned on, these tamper-protected settings can't be changed:
As of signature release 1.383.1159.0, due to confusion around the default value for "Allow Scanning Network Files", tamper protection no longer locks this setting to its default value. In managed environments, the default value is enabled.
Important
When tamper protection is turned on, tamper-protected settings can't be changed. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes made to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available:
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can't change the tamper protection setting; in those cases, your security team manages tamper protection. For more information, see How do I configure or manage tamper protection?
Tamper protection is available for devices that are running one of the following versions of Windows:
Tamper protection is also available for Mac, although it works a little differently than on Windows. For more information, see Protect macOS security settings with tamper protection.
Tip
Built-in protection includes turning tamper protection on by default. For more information, see:
If you're using Windows Server 2012 R2 using the modern unified solution, Windows Server 2016, Windows 10 version 1709, 1803, or 1809, you don't see Tamper Protection in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
Important
On Windows Server 2016, the Settings app doesn't accurately reflect the status of real-time protection when tamper protection is enabled.
Open the Windows PowerShell app.
Use the Get-MpComputerStatus PowerShell cmdlet.
In the list of results, look for IsTamperProtected and RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)
You can use Microsoft Intune and other methods to configure or manage tamper protection, as listed in the following table:
| Method | What you can do |
|---|---|
| Use the Microsoft Defender portal. | Turn tamper protection on (or off), tenant wide. See Manage tamper protection for your organization using Microsoft Defender XDR. This method doesn't override settings that are managed in Microsoft Intune or Configuration Manager. |
| Use the Microsoft Intune admin center or Configuration Manager. | Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See Manage tamper protection for your organization using Intune. Protect Microsoft Defender Antivirus exclusions from tampering if you're using Intune only or Configuration Manager only. See Tamper protection for antivirus exclusions. |
| Use Configuration Manager with tenant attach. | Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006. |
| Use the Windows Security app. | Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). See Manage tamper protection on an individual device. This method doesn't override tamper protection settings that are set in the Microsoft Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations. |
Tip
If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep in mind that any changes made to tamper-protected settings are ignored. If you must make changes to a device and those changes are blocked by tamper protection, use troubleshooting mode to temporarily disable tamper protection on the device. After troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state. To change the values on tamper-protected settings permanently, disable tamper protection temporarily before turning it back on after the settings have changed. Keep in mind that this method can pose security risks, and doesn't work on devices that are offline when tamper protection was temporarily disabled. For this reason, we recommend using other management methods for Defender for Endpoint settings, such as Intune, instead of using Group Policy.
Under certain conditions, tamper protection can protect exclusions that are defined for Microsoft Defender Antivirus. For more information, see Tamper protection for exclusions.
Tampering attempts typically indicate that a larger cyberattack has taken place. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
Whenever a tampering attempt is detected, an alert is raised in the Microsoft Defender portal (https://security.microsoft.com).
Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
Tamper protection integrates with Microsoft Defender Vulnerability Management capabilities. Security recommendations include making sure tamper protection is turned on. For example, in your Vulnerability Management dashboard, you can search on tamper. In the results, you can select Turn on Tamper Protection to learn more and turn it on.
To learn more about Microsoft Defender Vulnerability Management, see Dashboard insights - Defender Vulnerability Management.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Training
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.