Protect security settings with tamper protection
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
Platforms
- Windows
- macOS
Tamper protection is available for devices that are running one of the following versions of Windows:
- Windows 10 and 11 (including Enterprise multi-session)
- Windows Server 2022, Windows Server 2019, and Windows Server, version 1803 or later
- Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified solution)
Tamper protection is also available for Mac. See Protect macOS security settings with tamper protection.
Overview
During some kinds of cyber attacks, bad actors try to disable security features, such as antivirus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus protection, such as IOfficeAntivirus (IOAV)
- Disabling cloud-delivered protection
- Removing security intelligence updates
- Disabling automatic actions on detected threats
- Suppressing notifications in the Windows Security app
- Disabling scanning of archives and network files
Important
Built-in protection includes turning tamper protection on by default. To learn more about built-in protection, see:
- Built-in protection helps guard against ransomware (article)
- Tamper protection will be turned on for all enterprise customers (Tech Community blog post)
Tamper protection is part of anti-tampering capabilities that include standard protection attack surface reduction rules.
If you're using Microsoft Intune to manage Defender for Endpoint settings, we recommend setting DisableLocalAdminMerge to true on devices, and deploy using Intune.
When tamper protection is turned on, tamper protected settings cannot be changed from their default value. Changes might appear to be successful in Intune, but will not actually be allowed by tamper protection. For the most current list of tamper protected settings, contact support.
How tamper protection works
Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and methods such as:
- Configuring settings in Registry Editor on your Windows device
- Changing settings through PowerShell cmdlets on your device
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team.
Tamper protection and cloud protection
Depending on the method or management tool you use to enable tamper protection, there might be a dependency on cloud-delivered protection. Cloud-delivered protection is also referred to as cloud protection, or Microsoft Advanced Protection Service (MAPS). The following table summarizes whether there's a dependency on cloud protection.
| How tamper protection is enabled | Dependency on cloud protection? |
|---|---|
| Microsoft Intune | No |
| Microsoft Endpoint Configuration Manager with Tenant Attach | No |
| Microsoft 365 Defender portal (https://security.microsoft.com) | Yes |
Methods to configure tamper protection
The following table lists the various methods you can use to configure tamper protection:
| To perform this task... | See this content... |
|---|---|
| Manage tamper protection across your tenant Use the Microsoft 365 Defender portal to turn tamper protection on or off |
Manage tamper protection for your organization using Microsoft 365 Defender |
| Fine-tune tamper protection settings in your organization Use Microsoft Intune to turn tamper protection on or off. You can configure tamper protection for some or all users with this method. |
Manage tamper protection for your organization using Intune |
| Protect Microsoft Defender Antivirus exclusions | What about exclusions? How to determine whether the functionality to protect exclusions is enabled on a Windows device |
| Turn tamper protection on (or off) for your organization by using Configuration Manager | Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006 |
| Turn tamper protection on (or off) for an individual device (for home users or devices that aren't managed by a security team) | Manage tamper protection on an individual device |
| View details about tampering attempts on devices | View information about tampering attempts in Microsoft 365 Defender |
| Review your security recommendations | Review security recommendations |
| Review the list of frequently asked questions (FAQs) | Browse the FAQs |
What about exclusions?
If your organization has exclusions defined for Microsoft Defender Antivirus, tamper protection will protect those exclusions, provided all of the following conditions are met:
DisableLocalAdminMergeis enabled. (See DisableLocalAdminMerge.)- Microsoft Defender Antivirus exclusions are managed in Microsoft Intune. (See Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices.)
- Tamper protection is deployed and managed by using Intune. (See Manage tamper protection for your organization using Microsoft Intune.)
- Devices are running Windows Defender platform
4.18.2111.*or later. (See Monthly platform and engine versions.) - Functionality to protect exclusions is enabled on devices. (See How to determine whether the functionality is enabled on a Windows device.)
Tip
For more detailed information about exclusions, see Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
How to determine whether the functionality to protect exclusions is enabled on a Windows device
You can use a registry key to determine whether the functionality to protect Microsoft Defender Antivirus exclusions is enabled.
On a Windows device open Registry Editor. (Read-only mode is fine; you won't be editing the registry key.)
Go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features(orHKLM\SOFTWARE\Microsoft\Windows Defender\Features), and look for aREG_DWORDentry called TPExclusions.- If TPExclusions has a value of
1, then all required conditions are met, and the new functionality to protect exclusions is enabled on the device. In this case, exclusions are tamper protected. - If TPExclusions has a value of
0, then tamper protection isn't currently protecting exclusions on the device.
- If TPExclusions has a value of
Caution
Do not change the value of TPExclusions. Use the preceding procedure for information only. Changing the key will have no effect on whether tamper protection applies to exclusions.
Are you using Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809?
If you're using Windows Server 2012 R2 using the modern unified solution, Windows Server 2016, Windows 10 version 1709, 1803, or 1809, you won't see Tamper Protection in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
Important
On Windows Server 2016, the Settings app won't accurately reflect the status of real-time protection when tamper protection is enabled.
Use PowerShell to determine whether tamper protection and real-time protection are turned on
Open the Windows PowerShell app.
Use the Get-MpComputerStatus PowerShell cmdlet.
In the list of results, look for
IsTamperProtectedorRealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)
View information about tampering attempts
Tampering attempts typically indicate that a larger cyberattack has taken place. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
Whenever a tampering attempt is detected, an alert is raised in the Microsoft 365 Defender portal (https://security.microsoft.com).
Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
Review your security recommendations
Tamper protection integrates with Microsoft Defender Vulnerability Management capabilities. Security recommendations include making sure tamper protection is turned on. For example, you can search on tamper. In the results, you can select Turn on Tamper Protection to learn more and turn it on.
To learn more about Microsoft Defender Vulnerability Management, see Dashboard insights - Defender Vulnerability Management.
Tip
If you're looking for Antivirus related information for other platforms, see:
See also
- Built-in protection helps guard against ransomware
- Help secure Windows PCs with Endpoint Protection for Microsoft Intune
- Get an overview of Microsoft Defender for Endpoint
- Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint
- Enable troubleshooting mode
- Troubleshooting mode scenarios
Feedback
Submit and view feedback for