I recommend turning off Tamper Protection temporarily to let any GPO changes fully distribute. My understanding is that TP tells the agent to ignore any new policy-based changes. The idea being that a compromised domain would allow a GPO to disable MDAV. It sounds like you have some GPO settings that were not fully distributed before tamper protection was enabled.
Windows 10 - Defender with GPO and Tamper-Protection
Dear all,
we are using LTSC version with Windows 10 1809 in our company. Among other things, we have configured Windows Defender so that users cannot disable the real-time protection, i.e. the GPO "Microsoft Defender AntiVirus" -> "Real-time protection" -> "Disable real-time protection" is set to "Disabled".
With Windows LTSC 1809 everything works fine.
Now we have some clients with Windows 10 21H2 in use. Same Defender GPO is applied on the clients (is checked by me). With 21H2, tamper protection is turned on by default (we didn't configure it). This causes the above GPO stop working, i.e. users can disable real-time protection. This looks like this:
If a user deactivates the realtime protection it will be reactivated automatically by the tamper protection after a few minutes or after a reboot. This is nice but still problematic, because there seems to be a (security) hole here, because the realtime protection is disabled for the period (is also checked by us).
If I now deactivate the tamper protection (via mouse click - otherwise it is not possible) then the GPO seems to take effect immediately and the real-time protection can no longer be deactivated. It then looks like this:
Unfortunately, you can not disable tamper protection without Intune, MDM, so that the GPO always takes effect. I don't want to disable the tamper protection either. I basically just want to configure it that employees can never disable real-time protection (via UI or e.g. via Powershell aso), no matter what state the tamper protection has.
From my point of view this looks like a security gap as it is currently designed by MS, because I'we as admin can not specify that the real-time protection can never not be deactivated. Or did I miss something here? How do you solve this problem?
Best regards
Rainer
2 answers
Sort by: Most helpful
-
Andrew Blumhardt 9,776 Reputation points Microsoft Employee
2022-10-06T13:51:31.197+00:00 -
Limitless Technology 39,516 Reputation points
2022-10-07T14:28:37.537+00:00 Hi,
Thank you for posting your query.
Kindly follow the steps provided below to resolve your issue.
During some kinds of cyber-attacks, bad actors try to disable security features, such as antivirus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such as:
Disabling virus and threat protection
Disabling real-time protection
Turning off behavior monitoring
Disabling antivirus protection, such as IOfficeAntivirus (IOAV)
Disabling cloud-delivered protection
Removing security intelligence updates
Disabling automatic actions on detected threats
Suppressing notifications in the Windows Security app
Disabling scanning of archives and network filesGo to this link for your reference https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide
Do not hesitate to message us if you need further assistance.
--------------------------------------------------------------------------------------------------------------------------------------------
If the answer is helpful kindly click "Accept as Answer" and upvote it. Thanks.