Built-in protection helps guard against ransomware

Microsoft Defender for Endpoint helps prevent, detect, investigate, and respond to advanced threats, such as ransomware attacks. Next-generation protection and attack surface reduction capabilities in Defender for Endpoint were designed to catch emerging threats. In order for the best protection from ransomware and other cyberthreats to be in place, certain settings must be configured. Built-in protection can help by providing you with default settings for better protection.

Tip

You don't have to wait for built-in protection to come to you! You can protect your organization's devices now by configuring these capabilities:

What is built-in protection, and how does it work?

Built-in protection is a set of default settings that are rolling out to help ensure your devices are protected. These default settings are designed to protect devices from ransomware and other threats. Initially, built-in protection will include turning tamper protection on for your tenant, with other default settings coming soon. For more information, see the Tech Community blog post, Tamper protection will be turned on for all enterprise customers.

Phase What happens
Built-in protection is rolling out Customers are receiving notification that built-in protection is coming. If it's not already configured, tamper protection will be turned on for customers who have Defender for Endpoint Plan 2 or Microsoft 365 E5.
Built-in protection becomes available for your tenant You'll be notified that your tenant is about to receive built-in protection and when tamper protection will be turned on (if it's not already configured).
Built-in protection arrives Tamper protection will be turned on for your tenant, and will be applied to your organization's Windows devices. You can opt out or change your built-in protection settings.
After built-in protection has arrived Whenever new devices are onboarded to Defender for Endpoint, built-in protection settings will be applied to any new devices running Windows. You can always change your built-in protection settings.

Note

Built-in protection sets default values for Windows devices. If endpoint security settings change, such as through baselines or policies in Microsoft Endpoint Manager, those settings override the built-in protection settings.

What does the notification look like?

You can expect to receive two types of notifications:

  • A message center post indicating that built-in protection is coming soon; and

  • A banner in the Microsoft 365 Defender portal that resembles the following image:

    Screenshot showing yellow banner highlighting built in protection in Microsoft 365 Defender portal.

Your notification will tell you when built-in protection is coming and when tamper protection will be turned on (if it's not already configured) for your tenant.

Can I opt out?

You can opt out of built-in protection by specifying your own security settings. For example, if you prefer to not have tamper protection turned on automatically for your tenant, you can explicitly opt out.

Note

We do not recommend turning tamper protection off. Tamper protection provides you with better ransomware protection. You must be a global administrator or security administrator to perform the following procedure.

  1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.

  2. Go to Settings > Endpoints > Advanced features.

  3. Set Tamper protection to On (if it's not already on), and then select Save preferences. Don't leave this page yet.

  4. Set Tamper protection to Off, and then select Save preferences.

Can I change built-in protection settings?

Built-in protection is a set of default settings. You aren't required to keep these default settings in place. You can always change your settings to suit your business needs. The following table lists tasks your security team might perform, along with links to learn more.

Task Description
Determine whether tamper protection is turned on 1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
2. Go to Settings > Endpoints > Advanced features > Tamper protection.
Manage tamper protection tenant wide using the Microsoft 365 Defender portal (https://security.microsoft.com) 1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
2. Go to Settings > Endpoints > Advanced features.
3. Set Tamper protection to On (recommended) or Off.
4. Select Save preferences.

See Manage tamper protection for your organization using Microsoft 365 Defender portal.
Set tamper protection settings for some, but not all, devices Use endpoint security policies and profiles that are applied to specific devices. See the following articles:
- Manage tamper protection using Microsoft Endpoint Manager
- Manage tamper protection using tenant attach with Configuration Manager, version 2006
Turn tamper protection on or off on an individual device 1. On your Windows device, select Start, and start typing Security.
2. In the search results, select Windows Security.
3. Select Virus & threat protection > Virus & threat protection settings.
4. Set Tamper Protection to On (recommended) or Off.

If the device is onboarded to Defender for Endpoint, or the device is managed in the Microsoft Endpoint Manager admin center, those settings will override user settings on the individual device.

See Manage tamper protection on an individual device.
Temporarily disable tamper protection on a device for troubleshooting purposes See the following articles:
- Get started with troubleshooting mode in Microsoft Defender for Endpoint
- Troubleshooting mode scenarios in Microsoft Defender for Endpoint

See also