Tamper Protection in Microsoft Defender for Endpoint is protection that protects selected settings, such as virus and malware protection. With tamper protection, you cannot disable selected components of Microsoft Defender for Endpoint or change their settings.
In fact, disabling or changing settings on a security product is usually what a threat actor is trying to do. If they were able to deactivate the protection, it would make their subsequent work much easier. This is why it is extremely important to keep tamper protection active.
What settings protect Tamper Protection
When Tamper Protection is active, the following settings/components are protected against unauthorized modification or deactivation.
- Virus and threat protection remains enabled.
- Real-time protection remains turned on.
- Behavior monitoring remains turned on.
- Antivirus protection, including IOfficeAntivirus (IOAV) remains enabled.
- Cloud protection remains enabled.
- Security intelligence updates occur.
- Automatic actions are taken on detected threats.
- Notifications are visible in the Windows Security app on Windows devices.
- Archived files are scanned.
Which operating systems support Tamper Protection
- Windows 11
- Windows 11 Enterprise multi-session
- Windows 10 OS 1709, 1803, 1809, or later together with Microsoft Defender for Endpoint
- Windows 10 Enterprise multi-session
- Windows Server 2022, Windows Server 2019, and Windows Server, version 1803 or later
- Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified solution)
- MacOS Big Sur (11), or later
Tamper protection works a little differently on macOS than on Windows. On macOS, Tamper Protection protects Microsoft Defender for Endpoint from being removed from macOS, from changing, renaming, creating or deleting Defender for Endpoint files. It also protects Microsoft Defender for Endpoint processes themselves from tampering.
How to configure Tamper Protection
Configuring Tamper Protection from the Security Portal
Configuring tamper protection from the security portal is tenant-wide. This means that it is applied to all connected devices without scoping. Which is desirable because as I mentioned earlier, tamper protection is a very important setting that should be active on all devices.
In the security portal, open Settings – Endpoints and under Advanced features enable Tamper protection.
Configuring Tamper Protection from Intune
If you want to have more control over the deployment of tamper protection, you can use, for example, Intune. Intune lets you to scope settings so you can activate tamper protection only on selected devices.
It is also important to note that tamper protection configured in Intune overrides the global tamper protection settings configured in the Security portal. In other words, if you have tamper protection enabled as a tenant-wide setting from the Security portal, you can still exclude specific devices from tamper protection using the Intune policy.
In Intune you can configure tamper protection from Endpoint security – Antivirus. Here, create a new policy and select Windows 10, Windows 11, and Windows Server from the Platform menu, and then select Windows Security Experience from the Profile menu.
Enter any policy name, and in the next step, set TamperProtection (Device) to On if you want to enable tamper protection. Select Off if you want to turn tamper protection off. In the next steps, just choose which devices you want to target with the policy.
As I’ve mentioned several times before, tamper protection is a very strong protection against tampering that you should definitely have active on all devices.
If you try to tamper with Defender for Endpoint, it may seem at first glance that you have succeeded. However, appearances are deceiving and Defender for Endpoint is still active.