Frequently asked questions (FAQs) about tamper protection

What are the device requirements for tamper protection to reach devices when tamper protection is enabled in the Microsoft Defender portal?

Devices must meet all of the following requirements:

To manage tamper protection in the Microsoft Defender portal (https://security.microsoft.com), you must have appropriate permissions assigned through roles, such as Security Administrator. (See Microsoft Defender XDR role-based access control (RBAC).)

On which versions of Windows can I configure tamper protection?

If you're using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. See Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview).

Does tamper protection affect non-Microsoft Antivirus registration in the Windows Security app?

No. Non-Microsoft Antivirus offerings continue to register with the Windows Security application.

What happens if Microsoft Defender Antivirus isn't active on a device?

If non-Microsoft antivirus/antimalware software is installed on a device, when that device is onboarded to Microsoft Defender for Endpoint, Microsoft Defender Antivirus runs in passive mode by default. Tamper protection protects the service and its features.

If/when non-Microsoft antivirus/antimalware software is uninstalled, Microsoft Defender Antivirus switches to active mode automatically. Tamper protection continues to protect the service and its features.

How do I turn tamper protection on or off?

We recommend using Microsoft Intune to manage Microsoft Defender Antivirus settings for your organization. With Intune, you can control where tamper protection is enabled (or disabled) through policies. You can also protect Microsoft Defender Antivirus exclusions. See Tamper protection: Microsoft Defender Antivirus exclusions.

You can also use the Microsoft Defender portal or Configuration Manager.

If you're a home user, see Manage tamper protection on an individual device.

Tamper protection is part of built-in protection, and should be enabled.

Does tamper protection apply to Microsoft Defender Antivirus exclusions?

Yes. To protect Microsoft Defender Antivirus exclusions on devices, certain conditions must be met. For example, you must use Intune only or Configuration Manager only to manage devices, and you must have Sense enabled. See Protect Microsoft Defender Antivirus exclusions.

How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus with Group Policy?

If you're currently using Intune to configure and manage tamper protection, you should continue using Intune. When tamper protection is turned on and you use Group Policy to make changes to Microsoft Defender Antivirus settings, any settings that are protected by tamper protection are ignored.

  • If you must make changes to a device and those changes are blocked by tamper protection, you can use troubleshooting mode to temporarily disable tamper protection on the device. After troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
  • You can use Intune or Configuration Manager to exclude devices from tamper protection.
  • If you're managing tamper protection through Intune and certain other conditions are met, you can manage tamper-protected antivirus exclusions.

If we use Microsoft Intune to configure tamper protection, does it apply only to the entire organization?

If you're using Intune to configure and manage tamper protection, you don't necessarily have to apply tamper protection to your entire organization. With Intune, you can choose to apply tamper protection to your entire organization, or you can select specific devices or user groups to receive tamper protection. You can also exclude specific devices from tamper protection.

What settings can't be changed when tamper protection is turned on?

When tamper protection is turned on, the following security settings are protected from being changed:

  • Virus and threat protection remains enabled.
  • Real-time protection remains turned on.
  • Behavior monitoring remains turned on.
  • Antivirus protection, including IOfficeAntivirus (IOAV) remains enabled.
  • Cloud protection remains enabled.
  • Security intelligence updates continue to occur.
  • Automatic actions are taken on detected threats.
  • Notifications are visible in the Windows Security app on Windows devices.
  • Archived files are scanned.

For more information, see What happens when tamper protection is turned on?

If tamper protection is turned on in Microsoft Defender XDR, can settings in Intune or Configuration Manager override it?

When tamper protection is turned on in the Microsoft Defender portal (https://security.microsoft.com), tamper protection is turned on, tenant wide. However, policies defined in Intune or Configuration Manager can override settings in the Microsoft Defender portal. For example, you can define a policy in Intune or Configuration Manager that excludes certain devices from tamper protection.

How do I deploy DisableLocalAdminMerge?

Use Intune to deploy DisableLocalAdminMerge.

How can I confirm whether exclusions are tamper protected on a Windows device?

If tamper protection is turned on for exclusions, do I need to disable it to apply new exclusions policy settings from Intune or Configuration Manager?

No. When tamper protection for exclusions is enabled, you do not need to disable it to apply new exclusions.

Can I configure tamper protection with Configuration Manager?

Yes. Similar to using Intune, you can apply tamper protection to your whole organization, or to specific users and devices. For more information, see the following resources:

I'm an enterprise customer. Can local admins change tamper protection on their devices?

In general, tamper protection helps protect against users being able to change security settings directly on devices. Tamper protection is part of anti-tampering capabilities that include standard protection attack surface reduction rules. To further prevent malware from running in kernel, consider using driver block rules with Application Control for Windows.

What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state?

If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.

If the status of tamper protection changes, are alerts shown in the Microsoft Defender portal?

Alerts should be listed in the Microsoft Defender portal under Alerts. Your security operations team can also use hunting queries, such as the following example:

AlertInfo|where Title == "Tamper Protection bypass"

What are all the options for configuring the tamper protection?

You can use any of the following methods to configure tamper protection:

  • The Microsoft Defender portal (turn tamper protection on or off, tenant wide)
  • Intune (turn tamper protection on or off, and/or configure tamper protection for some or all users)
  • Configuration Manager (with tenant attach, you can configure tamper protection for some or all devices by using the Windows Security experience profile).
  • Windows Security app (for an individual device used at home or in situations where a security team doesn't manage your device)

Note

We recommend keeping tamper protection turned on for your whole organization. If tamper protection prevents your IT or security team from performing a necessary task on a device, consider using troubleshooting mode instead of disabling tamper protection.