Windows 10 - Defender with GPO and Tamper-Protection

Rainer Döpke 1 Reputation point
2022-10-06T13:37:55.263+00:00

Dear all,

we are using LTSC version with Windows 10 1809 in our company. Among other things, we have configured Windows Defender so that users cannot disable the real-time protection, i.e. the GPO "Microsoft Defender AntiVirus" -> "Real-time protection" -> "Disable real-time protection" is set to "Disabled".

With Windows LTSC 1809 everything works fine.

Now we have some clients with Windows 10 21H2 in use. Same Defender GPO is applied on the clients (is checked by me). With 21H2, tamper protection is turned on by default (we didn't configure it). This causes the above GPO stop working, i.e. users can disable real-time protection. This looks like this:

248040-image.png

If a user deactivates the realtime protection it will be reactivated automatically by the tamper protection after a few minutes or after a reboot. This is nice but still problematic, because there seems to be a (security) hole here, because the realtime protection is disabled for the period (is also checked by us).

If I now deactivate the tamper protection (via mouse click - otherwise it is not possible) then the GPO seems to take effect immediately and the real-time protection can no longer be deactivated. It then looks like this:

248103-1.jpg

Unfortunately, you can not disable tamper protection without Intune, MDM, so that the GPO always takes effect. I don't want to disable the tamper protection either. I basically just want to configure it that employees can never disable real-time protection (via UI or e.g. via Powershell aso), no matter what state the tamper protection has.

From my point of view this looks like a security gap as it is currently designed by MS, because I'we as admin can not specify that the real-time protection can never not be deactivated. Or did I miss something here? How do you solve this problem?

Best regards

Rainer

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,099 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,840 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andrew Blumhardt 9,776 Reputation points Microsoft Employee
    2022-10-06T13:51:31.197+00:00

    I recommend turning off Tamper Protection temporarily to let any GPO changes fully distribute. My understanding is that TP tells the agent to ignore any new policy-based changes. The idea being that a compromised domain would allow a GPO to disable MDAV. It sounds like you have some GPO settings that were not fully distributed before tamper protection was enabled.


  2. Limitless Technology 39,511 Reputation points
    2022-10-07T14:28:37.537+00:00

    Hi,

    Thank you for posting your query.

    Kindly follow the steps provided below to resolve your issue.

    During some kinds of cyber-attacks, bad actors try to disable security features, such as antivirus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such as:

    Disabling virus and threat protection
    Disabling real-time protection
    Turning off behavior monitoring
    Disabling antivirus protection, such as IOfficeAntivirus (IOAV)
    Disabling cloud-delivered protection
    Removing security intelligence updates
    Disabling automatic actions on detected threats
    Suppressing notifications in the Windows Security app
    Disabling scanning of archives and network files

    Go to this link for your reference https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide

    Do not hesitate to message us if you need further assistance.

    --------------------------------------------------------------------------------------------------------------------------------------------

    If the answer is helpful kindly click "Accept as Answer" and upvote it. Thanks.