Protect security settings with tamper protection
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
- Microsoft Defender for Business
- Microsoft 365 Business Premium
Platforms
- Windows
- macOS
What is tamper protection?
Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities.
Tamper protection is part of anti-tampering capabilities that include standard protection attack surface reduction rules. Tamper protection is an important part of built-in protection.
What happens when tamper protection is turned on?
When tamper protection is turned on, tamper-protected settings can't be changed from their default values:
- Virus and threat protection is enabled.
- Real-time protection is turned on.
- Behavior monitoring is turned on.
- Antivirus protection, including IOfficeAntivirus (IOAV) is enabled.
- Cloud protection is enabled.
- Security intelligence updates occur.
- Automatic actions are taken on detected threats.
- Notifications are visible in the Windows Security app on Windows devices.
- Archived files are scanned.
Note
As of signature release 1.383.1159.0, due to confusion around the default value for "Allow Scanning Network Files", tamper protection no longer locks this setting to its default value. In managed environments, the default value is enabled.
Important
When tamper protection is turned on, the tamper-protected settings listed above cannot be changed from their default values. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes made to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. You can use Intune and Configuration Manager to exclude devices from tamper protection. And, if you're managing tamper protection through Intune, you can change tamper-protected antivirus exclusions.
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team. For more information, see How do I configure or manage tamper protection?
On what devices can tamper protection be enabled?
Tamper protection is available for devices that are running one of the following versions of Windows:
- Windows 10 and 11 (including Enterprise multi-session)
- Windows Server 2022, Windows Server 2019, and Windows Server, version 1803 or later
- Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified solution)
Tamper protection is also available for Mac, although it works a little differently than on Windows. For more information, see Protect macOS security settings with tamper protection.
Tip
Built-in protection includes turning tamper protection on by default. For more information, see:
- Built-in protection helps guard against ransomware (article)
- Tamper protection will be turned on for all enterprise customers (Tech Community blog post)
Are you using Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809?
If you're using Windows Server 2012 R2 using the modern unified solution, Windows Server 2016, Windows 10 version 1709, 1803, or 1809, you won't see Tamper Protection in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
Important
On Windows Server 2016, the Settings app won't accurately reflect the status of real-time protection when tamper protection is enabled.
Use PowerShell to determine whether tamper protection and real-time protection are turned on
Open the Windows PowerShell app.
Use the Get-MpComputerStatus PowerShell cmdlet.
In the list of results, look for
IsTamperProtectedorRealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)
How do I configure or manage tamper protection?
You can use Microsoft Intune and other methods to configure or manage tamper protection, as listed in the following table:
| Method | What you can do |
|---|---|
| The Microsoft 365 Defender portal | Turn tamper protection on (or off), tenant wide. This method won't override settings that are managed in Microsoft Intune or Configuration Manager with tenant attach. See Manage tamper protection for your organization using Microsoft 365 Defender. |
| The Microsoft Intune admin center | Turn tamper protection on (or off), tenant wide, for some or all devices. Using this method, you can also tamper protect antivirus exclusions that are defined for Microsoft Defender Antivirus. See Manage tamper protection for your organization using Intune. |
| Configuration Manager | Turn tamper protection on (or off) for some or all devices by using Configuration Manager with tenant attach. This method won't override settings managed in Intune. See Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006. |
| Windows Security app | Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). This method won't override tamper protection settings that are managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations. See Manage tamper protection on an individual device. |
Tip
If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep in mind that any changes made to tamper-protected settings will be ignored. We recommend using the Microsoft 365 Defender portal, Intune, or Configuration Manager to manage tamper protection.
What about exclusions?
Under certain conditions, tamper protection can now protect antivirus exclusions that are defined for Microsoft Defender Antivirus. For more information, see Tamper protection for exclusions.
View information about tampering attempts
Tampering attempts typically indicate that a larger cyberattack has taken place. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
Whenever a tampering attempt is detected, an alert is raised in the Microsoft 365 Defender portal (https://security.microsoft.com).
Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
Review your security recommendations
Tamper protection integrates with Microsoft Defender Vulnerability Management capabilities. Security recommendations include making sure tamper protection is turned on. For example, in your Vulnerability Management dashboard, you can search on tamper. In the results, you can select Turn on Tamper Protection to learn more and turn it on.
To learn more about Microsoft Defender Vulnerability Management, see Dashboard insights - Defender Vulnerability Management.
See also
Feedback
Submit and view feedback for