This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 30%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
Dear all,
we are using LTSC version with Windows 10 1809 in our company. Among other things, we have configured Windows Defender so that users cannot disable the real-time protection, i.e. the GPO "Microsoft Defender AntiVirus" -> "Real-time protection" -> "Disable real-time protection" is set to "Disabled".
With Windows LTSC 1809 everything works fine.
Now we have some clients with Windows 10 21H2 in use. Same Defender GPO is applied on the clients (is checked by me). With 21H2, tamper protection is turned on by default (we didn't configure it). This causes the above GPO stop working, i.e. users can disable real-time protection. This looks like this:
If a user deactivates the realtime protection it will be reactivated automatically by the tamper protection after a few minutes or after a reboot. This is nice but still problematic, because there seems to be a (security) hole here, because the realtime protection is disabled for the period (is also checked by us).
If I now deactivate the tamper protection (via mouse click - otherwise it is not possible) then the GPO seems to take effect immediately and the real-time protection can no longer be deactivated. It then looks like this:
Unfortunately, you can not disable tamper protection without Intune, MDM, so that the GPO always takes effect. I don't want to disable the tamper protection either. I basically just want to configure it that employees can never disable real-time protection (via UI or e.g. via Powershell aso), no matter what state the tamper protection has.
From my point of view this looks like a security gap as it is currently designed by MS, because I'we as admin can not specify that the real-time protection can never not be deactivated. Or did I miss something here? How do you solve this problem?
Best regards
Rainer
I recommend turning off Tamper Protection temporarily to let any GPO changes fully distribute. My understanding is that TP tells the agent to ignore any new policy-based changes. The idea being that a compromised domain would allow a GPO to disable MDAV. It sounds like you have some GPO settings that were not fully distributed before tamper protection was enabled.
Hi Andrew,
I disabled the tamper protection and did a "gpudate /force". The result is the same - that means: The user can disable the realtime protection while the tamper protection is active.
Best regards
Rainer
Changes made to Microsoft Defender Antivirus settings using Group Policy are ignored when tamper protection is turned on. It could be something is not configured as expected or no reaching the endpoint. Consider opening a support case if needed.
Verify locally:
Get-MpComputerStatus PowerShell cmdlet.
In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)
Also, look in the device timeline in the portal to see it AV setting changes are being recorded.
Also, look in the local Windows Security app under Virus & Threat Protection for status.
Hi Andrew,
Get-MpComputerStatus returns the following:
IsTamperProtected : True
RealTimeProtectionEnabled : True
When I disable RealTimeScan in the UI:
IsTamperProtected : True
RealTimeProtectionEnabled : False
I cannot look in the device timeline because we are using Defender locally.
In the Windows Security App - Virus and Threat Protection shows what Get-MpComputerStatus show. RealTimeProtection is disabled and TamperProtection is enabled.
Best regards
Rainer
Hi,
Thank you for posting your query.
Kindly follow the steps provided below to resolve your issue.
During some kinds of cyber-attacks, bad actors try to disable security features, such as antivirus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such as:
Disabling virus and threat protection
Disabling real-time protection
Turning off behavior monitoring
Disabling antivirus protection, such as IOfficeAntivirus (IOAV)
Disabling cloud-delivered protection
Removing security intelligence updates
Disabling automatic actions on detected threats
Suppressing notifications in the Windows Security app
Disabling scanning of archives and network files
Go to this link for your reference https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide
Do not hesitate to message us if you need further assistance.
--------------------------------------------------------------------------------------------------------------------------------------------
If the answer is helpful kindly click "Accept as Answer" and upvote it. Thanks.
Hi,
that you for this information but they doesn't help me to solve this detailed problem. In my opinion this is a security gap.
Best regards
Rainer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 62%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
How is copying and pasting, word for word, the content of a learn.microsoft.com link adding to this question in any way?