Edit

Protect security settings with tamper protection

  • Article

Applies to:

Platforms

What is tamper protection?

Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities.

Tamper protection is part of anti-tampering capabilities that include standard protection attack surface reduction rules. Tamper protection is an important part of built-in protection.

What happens when tamper protection is turned on?

When tamper protection is turned on, these tamper-protected settings can't be changed:

  • Virus and threat protection remains enabled.
  • Real-time protection remains turned on.
  • Behavior monitoring remains turned on.
  • Antivirus protection, including IOfficeAntivirus (IOAV) remains enabled.
  • Cloud protection remains enabled.
  • Security intelligence updates occur.
  • Automatic actions are taken on detected threats.
  • Notifications are visible in the Windows Security app on Windows devices.
  • Archived files are scanned.
  • Exclusions cannot be modified or added

As of signature release 1.383.1159.0, due to confusion around the default value for "Allow Scanning Network Files", tamper protection no longer locks this setting to its default value. In managed environments, the default value is enabled.

Important

When tamper protection is turned on, tamper-protected settings cannot be changed. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes made to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available:

  • If you must make changes to a device and those changes are blocked by tamper protection, you can use troubleshooting mode to temporarily disable tamper protection on the device.
  • You can use Intune or Configuration Manager to exclude devices from tamper protection.

Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can't change the tamper protection setting; in those cases, your security team manages tamper protection. For more information, see How do I configure or manage tamper protection?

On what devices can tamper protection be enabled?

Tamper protection is available for devices that are running one of the following versions of Windows:

  • Windows 10 and 11 (including Enterprise multi-session)
  • Windows Server 2022, Windows Server 2019, and Windows Server, version 1803 or later
  • Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified solution)

Tamper protection is also available for Mac, although it works a little differently than on Windows. For more information, see Protect macOS security settings with tamper protection.

Tip

Built-in protection includes turning tamper protection on by default. For more information, see:

Tamper protection on Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809

If you're using Windows Server 2012 R2 using the modern unified solution, Windows Server 2016, Windows 10 version 1709, 1803, or 1809, you don't see Tamper Protection in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.

Important

On Windows Server 2016, the Settings app doesn't accurately reflect the status of real-time protection when tamper protection is enabled.

Use PowerShell to determine whether tamper protection and real-time protection are turned on

  1. Open the Windows PowerShell app.

  2. Use the Get-MpComputerStatus PowerShell cmdlet.

  3. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)

How do I configure or manage tamper protection?

You can use Microsoft Intune and other methods to configure or manage tamper protection, as listed in the following table:

Method What you can do
Use the Microsoft Defender portal. Turn tamper protection on (or off), tenant wide. See Manage tamper protection for your organization using Microsoft Defender XDR.

This method doesn't override settings that are managed in Microsoft Intune or Configuration Manager.
Use the Microsoft Intune admin center or Configuration Manager. Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See Manage tamper protection for your organization using Intune.

Protect Microsoft Defender Antivirus exclusions from tampering if you're using Intune only or Configuration Manager only. See Tamper protection for antivirus exclusions.
Use Configuration Manager with tenant attach. Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006.
Use the Windows Security app. Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). See Manage tamper protection on an individual device.

This method doesn't override tamper protection settings that are set in the Microsoft Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations.

Tip

If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep in mind that any changes made to tamper-protected settings are ignored. If you must make changes to a device and those changes are blocked by tamper protection, use troubleshooting mode to temporarily disable tamper protection on the device. After troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.

Protect Microsoft Defender Antivirus exclusions

Under certain conditions, tamper protection can protect exclusions that are defined for Microsoft Defender Antivirus. For more information, see Tamper protection for exclusions.

View information about tampering attempts

Tampering attempts typically indicate that a larger cyberattack has taken place. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.

Whenever a tampering attempt is detected, an alert is raised in the Microsoft Defender portal (https://security.microsoft.com).

Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.

Review your security recommendations

Tamper protection integrates with Microsoft Defender Vulnerability Management capabilities. Security recommendations include making sure tamper protection is turned on. For example, in your Vulnerability Management dashboard, you can search on tamper. In the results, you can select Turn on Tamper Protection to learn more and turn it on.

To learn more about Microsoft Defender Vulnerability Management, see Dashboard insights - Defender Vulnerability Management.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.