Working with tamper protection on Windows devices to protect security settings

by

This week is all about working with tamper protection on Windows devices. Not because it’s something new, but mainly to give it some more attention. It does, by the way, introduce new management functionality. That new functionality is the ability to configure tamper protection on unmanaged devices. So, devices that are not managed by Microsoft Intune, or Configuration Manager, but that are managed via Microsoft Defender for Endpoint security settings management. Besides that, it’s just important to highlight the functionality of tamper protection again, to make sure that the functionality and usage is known. Especially as it’s nowadays enabled by default when using Microsoft Defender for Endpoint. Because it’s enabled by default, people easily forget that it’s configured and what it’s used for. This post will start with a brief introduction, followed with the different options to configure tamper protection on Windows devices. This post will end with the user experience.

Note: On new tenants, created after October 2022, tamper protection is enabled by default.

Introducing tamper protection

When looking at tamper protection, it all starts with the fact that it’s a capability in Microsoft Defender for Endpoint that does exactly what the name of the feature already implies. That is that it protects against tampering. It protects against tampering of different security settings. That prevents bad actors from disabling important security features on devices within the organization. Disabling security features potentially provides bad actors with easier access to data of the organization, the ability to install malware, and more. When tamper protection is turned on, the following tamper-protected settings can’t be changed:

  • Virus and threat protection is enabled.
  • Real-time protection is turned on.
  • Behavior monitoring is turned on.
  • Antivirus protection, including IOfficeAntivirus (IOAV), is enabled.
  • Cloud protection is enabled.
  • Security intelligence updates occur.
  • Automatic actions are taken on detected threats.
  • Notifications are visible in the Windows Security app on Windows devices.
  • Archived files are scanned.
  • Exclusions can’t be modified or added (requires additional configuration).

Important: Keep in mind that when tamper protection is turned on, tamper-protected settings can’t be changed. Not even by management solutions, such as Microsoft Intune and Configuration Manager.

Note: Tamper protection is an important part of built-in protection that helps guard against ransomware.

Configuring tamper protection via Microsoft Intune

When looking at the configuration of tamper protection, it all starts with the different options. Nowadays, when onboarding in Defender for Endpoint, tamper protection is enabled by default. That’s because of a tenant-wide configuration in the Microsoft Defender portal. That configuration is shown below in Figure 1 and can be found by navigating to Settings > Endpoints.

Figure 1: Overview of the tenant-wide tamper protection configuration

Besides that, Microsoft Intune (and Configuration Manager) can be used to make sure that tamper protection is enabled on devices and to make specific exclusions when needed. On top of that, Microsoft Intune also enables the IT administrator to protect the antivirus exclusions. Those configuration are described below in more detail.

Prerequisites for enabling tamper protection

When looking at the configuration of tamper protection on Windows devices, it’s important to make sure that the prerequisites are in place. Those prerequisites are focused on available functionalities and are summarized below.

  • The device must be running Windows 10 or 11.
  • The device must be onboarded in Microsoft Defender for Endpoint.
  • The device must be running Microsoft Defender Antivirus with anti-malware platform version 4.18.2010.7 (or later) and anti-malware engine version 1.1.17600.5 (or later)
  • The device must be running Microsoft Defender Antivirus with cloud-delivered protection turned on.

Enabling tamper protection via Microsoft Intune

Using Microsoft Intune in combination with Microsoft Defender for Endpoint provides IT administrators with flexibility to differentiate between devices, ability to protect antivirus exclusions, and the reassurance that there is always a fallback configuration in place when the cloud protection service is not available. Many reason to be familiar with the configuration options and the configuration steps. The configuration of tamper protection can achieved by using Windows Security Experience device configuration profile. The following steps walk through using that profile to enable tamper protection.

  1. Open the Microsoft Intune admin center portal and navigate to Endpoint securityAntivirus
  2. On the Endpoint security | Antivirus page, click Create Policy
  3. On the Create a profile blade, select Windows Windows Security Experience and click Create
  4. On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
  5. On the Configuration settings page, as shown below in Figure 2, navigate to Defender > TamperProtection and configure it to On, and click Next
Figure 2: Overview of configuring tamper protection
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, configure the assignment for the required user or devices and click Next
  3. On the Review + create page, verify the configuration and click Create

Note: This configuration for tamper protection will overrule the Microsoft Defender tenant-wide configuration.

Disabling local administrator merge via Microsoft Intune

When using Microsoft Intune for managing tamper protection, often Microsoft Intune is also used for managing the exclusions for Microsoft Defender Antivirus. If no, consider doing so. Using Microsoft Intune for managing the exclusions, also provides IT administrators with the option to prevent local administrators from adding local exclusions. Those exclusions will be managed by IT. That gives control over the exclusions and makes sure that there will be no local exclusions and exceptions on devices. That can be configured by using a Microsoft Defender Antivirus device configuration profile to configure disabling local administrator merge. The following steps walk through that process.

  1. Open the Microsoft Intune admin center portal and navigate to Endpoint securityAntivirus
  2. On the Endpoint security | Antivirus page, click Create Policy
  3. On the Create a profile blade, select Windows Microsoft Defender Antivirus and click Create
  4. On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
  5. On the Configuration settings page, as shown below in Figure 3, navigate to Defender > Disable Local Admin Merge and configure it to Disable Local Admin Merge, and click Next
Figure 3: Overview of configuring local admin merge
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, configure the assignment for the required user or devices and click Next
  3. On the Review + create page, verify the configuration and click Create

Note: This configuration is also part of the default configuration in the Security Baseline for Windows 10 and later profile. Besides that, this configuration is also part of default configuration in the Microsoft Defender for Endpoint Security Baseline profile. At this time the latter profile, however, enables the local administrator merge by default.

Experiencing tamper protection

When the configuration for tamper protection is in place, the verification of that configuration is pretty straight forward. The Windows Security app provides clear information about that, for the features that are protected with tamper protection. An obvious example is shown below in Figure 4 on right. That shows how real-time protection is turned on and that tamper protection is preventing changes to that setting. Besides that, there are many different other configurations to verify. An interesting setting is the ManagedDefenderProductType entry in the HKLM\SOFTWARE\Microsoft\Windows Defender registry key. When that is set to 6, it means that the device and its configuration is managed by Microsoft Intune. That is a required value for protecting Microsoft Defender Antivirus exclusions. Alternatively, the Get-MpComputerStatus cmdlet can be used to verify if tamper protection is enabled. The property IsTamperProtected provides a clear answer.

Figure 4: Overview of the configuration experience with tamper protection

Beside that information, there are more interesting locations. The HKLM\SOFTWARE\Microsoft\Windows Defender\Features registry key contains for example the TPExclusions entry that is used to indicate that the Microsoft Defender Antivirus exclusions are managed on the device.

Note: Troubleshooting mode in Microsoft Defender for Endpoint enables IT administrators to troubleshoot Microsoft Defender Antivirus features, even when the device is managed by organizational policies.

More information

For more information about tamper protection on Windows devices, refer to the following docs.

Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.