Built-in protection helps guard against ransomware
Applies to:
Microsoft Defender for Endpoint helps prevent, detect, investigate, and respond to advanced threats, such as ransomware attacks. Next-generation protection and attack surface reduction capabilities in Defender for Endpoint were designed to catch emerging threats. In order for the best protection from ransomware and other cyberthreats to be in place, certain settings must be configured. Built-in protection can help by providing you with default settings for better protection.
Tip
You don't have to wait for built-in protection to come to you! You can protect your organization's devices now by configuring these capabilities:
What is built-in protection, and how does it work?
Built-in protection is a set of default settings to help ensure your devices are protected by Defender for Endpoint. These default settings are designed to protect devices from ransomware and other threats. Initially, built-in protection began with tamper protection enabled for your tenant, and expanded to other default settings. For more information, see the Tech Community blog post, Tamper protection will be turned on for all enterprise customers.
As devices are onboarded to Defender for Endpoint, built-in protection settings are applied automatically. However, your security team can change your built-in protection settings. |
Note
Built-in protection sets default values for Windows and Mac devices. If endpoint security settings change, such as through baselines or policies in Microsoft Intune, those settings override the built-in protection settings.
Can I opt out?
You can opt out of built-in protection by specifying your own security settings. For example, if you prefer to not have tamper protection turned on automatically for your tenant, you can explicitly opt out.
Caution
We do not recommend turning tamper protection off. Tamper protection provides you with better ransomware protection. You must have the Security Administrator role assigned to perform the following procedure.
Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.
Go to Settings > Endpoints > Advanced features.
Set Tamper protection to On (if it's not already on), and then select Save preferences. Don't leave this page yet.
Set Tamper protection to Off, and then select Save preferences.
Can I change built-in protection settings?
Built-in protection is a set of default settings. Your security team isn't required to keep these default settings in place. To suit your organization's business needs, your security team can change your security settings. The following table lists tasks your security team might perform, along with links to learn more.
| Task | Description |
|---|---|
| Determine whether tamper protection is turned on for your organization | 1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in. 2. Go to Settings > Endpoints > Advanced features > Tamper protection. |
| Manage tamper protection tenant wide using the Microsoft Defender portal (https://security.microsoft.com) | 1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in. 2. Go to Settings > Endpoints > Advanced features. 3. Set Tamper protection to On (recommended) or Off. 4. Select Save preferences. See Manage tamper protection for your organization using Microsoft Defender portal. |
| Set tamper protection settings for some, but not all, devices | Use endpoint security policies and profiles that are applied to specific devices. See the following articles: - Manage tamper protection using Microsoft Intune - Manage tamper protection using tenant attach with Configuration Manager, version 2006 |
| Turn tamper protection on or off on an individual Windows device | 1. On your Windows device, select Start, and start typing Security. 2. In the search results, select Windows Security. 3. Select Virus & threat protection > Virus & threat protection settings. 4. Set Tamper Protection to On (recommended) or Off. If the device is onboarded to Defender for Endpoint, or the device is managed in the Microsoft Intune admin center, those settings will override user settings on the individual device. See Manage tamper protection on an individual device. |
| Turn tamper protection on or off manually on a Mac | 1. On your Mac, open Finder, and go to Applications > Utilities > Terminal. 2. In Terminal, type the following command sudo mdatp config tamper-protection enforcement-level --value (chosen mode).See Manual configuration. |
| Change tamper protection settings using a Mobile Device Management (MDM) solution | To change the tamper protection mode using an MDM, go to the configuration profile and change the enforcement level in Intune or JAMF. The configuration profile set with the MDM will be your first point of reference. Any settings defined in the profile will be enforced on the device, and built-in-protection default settings won't override these applied settings. |
| Temporarily disable tamper protection on a device for troubleshooting purposes | See the following articles: - Get started with troubleshooting mode in Microsoft Defender for Endpoint - Troubleshooting mode scenarios in Microsoft Defender for Endpoint |
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for