Edit

Protect security settings with tamper protection

  • Article

Applies to:

Platforms

What is tamper protection?

Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities.

Tamper protection is part of anti-tampering capabilities that include standard protection attack surface reduction rules. Tamper protection is an important part of built-in protection.

What happens when tamper protection is turned on?

When tamper protection is turned on, tamper-protected settings can't be changed.

  • Virus and threat protection is enabled.
  • Real-time protection is turned on.
  • Behavior monitoring is turned on.
  • Antivirus protection, including IOfficeAntivirus (IOAV) is enabled.
  • Cloud protection is enabled.
  • Security intelligence updates occur.
  • Automatic actions are taken on detected threats.
  • Notifications are visible in the Windows Security app on Windows devices.
  • Archived files are scanned.

As of signature release 1.383.1159.0, due to confusion around the default value for "Allow Scanning Network Files", tamper protection no longer locks this setting to its default value. In managed environments, the default value is enabled.

Important

When tamper protection is turned on, tamper-protected settings cannot be changed. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes made to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available:

  • If you must make changes to a device and those changes are blocked by tamper protection, you can use troubleshooting mode to temporarily disable tamper protection on the device.
  • You can use Intune or Configuration Manager to exclude devices from tamper protection.

Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team. For more information, see How do I configure or manage tamper protection?

On what devices can tamper protection be enabled?

Tamper protection is available for devices that are running one of the following versions of Windows:

  • Windows 10 and 11 (including Enterprise multi-session)
  • Windows Server 2022, Windows Server 2019, and Windows Server, version 1803 or later
  • Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified solution)

Tamper protection is also available for Mac, although it works a little differently than on Windows. For more information, see Protect macOS security settings with tamper protection.

Tip

Built-in protection includes turning tamper protection on by default. For more information, see:

Are you using Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809?

If you're using Windows Server 2012 R2 using the modern unified solution, Windows Server 2016, Windows 10 version 1709, 1803, or 1809, you won't see Tamper Protection in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.

Important

On Windows Server 2016, the Settings app won't accurately reflect the status of real-time protection when tamper protection is enabled.

Use PowerShell to determine whether tamper protection and real-time protection are turned on

  1. Open the Windows PowerShell app.

  2. Use the Get-MpComputerStatus PowerShell cmdlet.

  3. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)

How do I configure or manage tamper protection?

You can use Microsoft Intune and other methods to configure or manage tamper protection, as listed in the following table:

Method What you can do
Use the Microsoft 365 Defender portal. Turn tamper protection on (or off), tenant wide. This method won't override settings that are managed in Microsoft Intune or Configuration Manager with tenant attach.

See Manage tamper protection for your organization using Microsoft 365 Defender.
Use the Microsoft Intune admin center. Turn tamper protection on (or off), tenant wide, for some or all devices. Using this method, you can also tamper protect antivirus exclusions that are defined for Microsoft Defender Antivirus.

See Manage tamper protection for your organization using Intune.
Use Configuration Manager. Turn tamper protection on (or off) for some or all devices by using Configuration Manager with tenant attach. This method won't override settings managed in Intune.

See Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006.
Use the Windows Security app. Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). This method won't override tamper protection settings that are managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations.

See Manage tamper protection on an individual device.

Tip

If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep in mind that any changes made to tamper-protected settings are ignored. If you must make changes to a device and those changes are blocked by tamper protection, we recommend using troubleshooting mode to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.

What about exclusions?

Under certain conditions, tamper protection can now protect antivirus exclusions that are defined for Microsoft Defender Antivirus. For more information, see Tamper protection for exclusions.

View information about tampering attempts

Tampering attempts typically indicate that a larger cyberattack has taken place. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.

Whenever a tampering attempt is detected, an alert is raised in the Microsoft 365 Defender portal (https://security.microsoft.com).

Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.

Review your security recommendations

Tamper protection integrates with Microsoft Defender Vulnerability Management capabilities. Security recommendations include making sure tamper protection is turned on. For example, in your Vulnerability Management dashboard, you can search on tamper. In the results, you can select Turn on Tamper Protection to learn more and turn it on.

To learn more about Microsoft Defender Vulnerability Management, see Dashboard insights - Defender Vulnerability Management.

See also