Let’s learn how you can protect security settings with Tamper Protection in Windows. Tamper Protection is a security feature that uses real-time threat information to determine the potential risks of software and suspicious activities.
Tamper Protection in Windows Security helps prevent malicious apps from changing important Microsoft Defender Antivirus settings, including real-time protection and cloud-delivered protection.
It essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and methods such as:
- Configuring settings in Registry Editor on your Windows device
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through Group Policy
Microsoft recently announced new security features for Windows 11 that will help protect hybrid work, with the great addition of Pluton, Default App Control, Default Cred Protection, Phishing, and Personal Data Encryption. Here’s a look at New Security Features for Windows 11.
- Install Microsoft Windows Defender Application Guard for Edge
- Block Potentially Unwanted Applications in Windows | Microsoft Defender
- Best Antivirus for Windows 11 Microsoft Defender | App Browser Protection | Firewall Protection
Protect Security Settings with Tamper Protection in Windows
You can manage temper protection using the Microsoft 365 Defender or Microsoft Endpoint Manager Portal for your environment. Let’s follow the steps to manage tamper protection on an individual windows device –
- In Windows 10 or 11 devices, In the search box, type Windows Security and then select Windows Security in the list of results.
Important – You must be signed in to the device as an administrator to turn on or off Tamper Protection.
- In Windows Security, select Virus & threat protection.
Scroll down to the Virus & threat protection settings, and select Manage settings.
Here you can change the Tamper Protection setting to On or Off. If UAC prompts you, select Yes to continue.
Note – If Tamper Protection is turned on and you’re an administrator on your computer, you can still change these settings in the Windows Security app. However, other apps can’t change these settings.
Turn On or Off Tamper Protection using Registry
The following steps help you to turn on-off tamper protection via Registry –
You can use the Search button in the Taskbar to launch the registry editor in Windows 10 or 11.
Important – We recommend you create a backup before editing the Registry.
Note – Since adding the registry value manually may lead to an issue, it will take time to process for the system admin. You can also copy the below command and create a batch file to automate the settings.
- Open Notepad, Copy and paste the registry value below into the text editor.
Set the Dword value in the below registry path to “5” to enable Tamper Protection or “0” to disable Tamper Protection.
Enable Tamper Protection
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderFeatures] "TamperProtection"=dword:00000005 Disable Tamper Protection
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderFeatures] "TamperProtection"=dword:00000005In the File menu, select Save As and click Browse to your preferred folder or location. In the File name box, provide the appropriate name “FileName.reg” with the .reg extension and Choose to Save as type “All” from the drop-down list. Click Save.
The registry file will appear on your saved location. To start the execution, Double click or Right-click and select the Open option or press Enter on the protected .reg file content to merge into the local Registry.
In the File menu, select Save As and click Browse to your preferred folder or location. In the File name box, provide the appropriate name “FileName.reg” with the .reg extension and Choose to Save as type “All” from the drop-down list. Click Save.
A warning box with the following messages prompted, Click Yes to continue.
Once Information in the path of the .reg file has been successfully entered into the Registry below prompt will appear. Click OK.
Restart your PC to apply the changes, and validate the changes from windows security.
Author
About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.
— Update: 15-03-2023 — us.suanoncolosence.com found an additional article Protect security settings with tamper protection from the website learn.microsoft.com for the keyword how to enable tamper protection in windows 10.
Applies to:
- Microsoft Defender for Endpoint Plan 1 and Plan 2
- Microsoft Defender Antivirus
Platforms
- Windows
- macOS
What is tamper protection?
Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities.
Tamper protection is part of anti-tampering capabilities that include standard protection attack surface reduction rules. Tamper protection is an important part of built-in protection.
What happens when tamper protection is turned on?
When tamper protection is turned on, tamper-protected settings can’t be changed from their default values:
- How to Fix: Export or Share Function Not Working in Windows 10 Photos App
- Super-interesting, Cool and Fun Websites you need to check out
- Fixed: We Couldn’t Format the Selected Partition | 0x8004242d Error [2022 Tutorial]
- Locked out of Plex Server and Server Settings? Here is how to solve this problem!
- OneDrive 64-Bit, 32-Bit, and Arm Versions for Windows & Mac [MiniTool Tips]
Read also:
- Virus and threat protection is enabled.
- Real-time protection is turned on.
- Behavior monitoring is turned on.
- Antivirus protection, including IOfficeAntivirus (IOAV) is enabled.
- Cloud protection is enabled.
- Security intelligence updates occur.
- Automatic actions are taken on detected threats.
- Notifications are visible in the Windows Security app on Windows devices.
- Archived files are scanned.
Tamper protection doesn’t prevent you from viewing your security settings. And, tamper protection doesn’t affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can’t change the tamper protection setting; in those cases, tamper protection is managed by your security team. For more information, see How do I configure or manage tamper protection?
On what devices can tamper protection be enabled?
Tamper protection is available for devices that are running one of the following versions of Windows:
- Windows 10 and 11 (including Enterprise multi-session)
- Windows Server 2022, Windows Server 2019, and Windows Server, version 1803 or later
- Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified solution)
Tamper protection is also available for Mac, although it works a little differently than on Windows. For more information, see Protect macOS security settings with tamper protection.
Are you using Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809?
If you’re using Windows Server 2012 R2 using the modern unified solution, Windows Server 2016, Windows 10 version 1709, 1803, or 1809, you won’t see Tamper Protection in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
Use PowerShell to determine whether tamper protection and real-time protection are turned on
-
Open the Windows PowerShell app.
-
Use the Get-MpComputerStatus PowerShell cmdlet.
-
In the list of results, look for
IsTamperProtectedorRealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)
How do I configure or manage tamper protection?
You can use Microsoft Intune and other methods to configure or manage tamper protection, as listed in the following table:
| Method | What you can do |
|---|---|
| The Microsoft 365 Defender portal | Turn tamper protection on (or off), tenant wide. This method won’t override settings that are managed in Microsoft Intune or Configuration Manager with tenant attach.
See Manage tamper protection for your organization using Microsoft 365 Defender. |
| The Microsoft Intune admin center | Turn tamper protection on (or off), tenant wide, for some or all devices. Using this method, you can also tamper protect antivirus exclusions that are defined for Microsoft Defender Antivirus.
See Manage tamper protection for your organization using Intune. |
| Configuration Manager | Turn tamper protection on (or off) for some or all devices by using Configuration Manager with tenant attach. This method won’t override settings managed in Intune.
See Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006. |
| Windows Security app | Turn tamper protection on (or off) on an individual device that isn’t managed by a security team (such as devices for home use). This method won’t override tamper protection settings that are managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn’t intended to be used by organizations.
See Manage tamper protection on an individual device. |
What about exclusions?
Under certain conditions, tamper protection can now protect antivirus exclusions that are defined for Microsoft Defender Antivirus. For more information, see Tamper protection for exclusions.
View information about tampering attempts
Tampering attempts typically indicate that a larger cyberattack has taken place. Bad actors try to change security settings as a way to persist and stay undetected. If you’re part of your organization’s security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
Whenever a tampering attempt is detected, an alert is raised in the Microsoft 365 Defender portal (https://security.microsoft.com).
Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
Review your security recommendations
Tamper protection integrates with Microsoft Defender Vulnerability Management capabilities. Security recommendations include making sure tamper protection is turned on. For example, in your Vulnerability Management dashboard, you can search on tamper. In the results, you can select Turn on Tamper Protection to learn more and turn it on.
To learn more about Microsoft Defender Vulnerability Management, see Dashboard insights – Defender Vulnerability Management.
See also
- Protect macOS security settings with tamper protection
- Built-in protection helps guard against ransomware
- Frequently asked questions on tamper protection
- Help secure Windows PCs with Endpoint Protection for Microsoft Intune
— Update: 17-03-2023 — us.suanoncolosence.com found an additional article How to manage Windows Security Tamper Protection feature on Windows 10 May 2019 Update from the website www.windowscentral.com for the keyword how to enable tamper protection in windows 10.
On Windows 10, Windows Security is an experience that includes the settings to manage all of the built-in security features, including Windows Defender Antivirus, Windows Firewall, online security, and more.
Starting with the May 2019 Update (version 1903), Windows 10 is introducing Tamper Protection, which is a new feature designed to protect the Windows Security app against unauthorized changes that are not made directly through the experience.
Although this is a welcome addition that adds an extra layer of protection on Windows 10, it can cause some problems when you need to manage security settings through another app or command line tools, such as PowerShell or Command Prompt.
Fortunately, whether you want to improve your system security, or you’re required to manage security settings using another app, the updated version of Windows Security makes it simple to enable or disable the new Tamper Protection feature.
In this Windows 10 guide, we’ll walk you through the steps to enable and disable the Tamper Protection feature included with the Windows Security app starting with the May 2019 Update.
- How to disable Tamper Protection on Windows Security
- How to enable Tamper Protection on Windows Security
How to disable Tamper Protection on Windows Security
To disable the Tamper Protection feature on Windows 10, use these steps:
- Open Start.
- Search for Windows Security and click the top result to open the experience.
- Click on Virus & threat protection.
- Under the “Virus & threat protection” section, click the Manage settings option.
- Turn off the Tamper Protection toggle switch.
Once you complete the steps, you will be able to change the Windows Security settings using command lines or using any other app.
How to enable Tamper Protection on Windows Security
To enable the Tamper Protection feature to prevent unauthorized setting changes on the Windows Security app, use these steps:
- Open Start.
- Search for Windows Security and click the top result to open the experience.
- Click on Virus & threat protection.
- Under the “Virus & threat protection” section, click the Manage settings option.
- Turn on the Tamper Protection toggle switch.
After you complete the steps, Windows 10 will protect the security of your device by preventing users or malicious apps from changing essential settings, including real-time protection, cloud-delivered protection, and behavior monitoring.
Mauro recommends all these affordable accessories
Hi, I’m Mauro Huculak, Windows Central’s help and how-to guru. I wrote the post you’re reading now, and I know the Windows OS inside and out. But I’m also a bit of a hardware geek. These are some of the affordable gadgets on my desk today.
Logitech MX Master Wireless Mouse (opens in new tab) ($72 at Amazon)
I know mice, and this is the one I use every day. The MX Master is a wireless high-precision mouse that’s very comfortable to use and has many great features, including the ability to connect with multiple devices, an infinite scroll wheel, back and forward buttons, all of which you can customize.
- Incorrect Safe Mode Password: 3 Ways to Start It Without a Password
- How to Sync Trello Cards with Google Calendar Events Automatically
- Convert Numbers Stored as Text to Numbers in Excel
- Windows Backup 0 Bytes | Get the Answer here!
- Computer Freezes and makes Buzzing or High Pitched Noise
Read more:
Ktrio Extended Gaming Mouse Pad (opens in new tab) ($12 at Amazon)
If you spend a lot of time typing, your palms and mouse will leave tracks on your desk. My solution was to start using gaming mouse pads, which are big enough for you to use the keyboard and the mouse comfortably. This is the one I use and recommend.
Supernight LED light strip (opens in new tab) ($20 at Amazon)
You could just use a regular light bulb in your office, but if you want to add some ambient lighting with different colors, an RGB LED strip is the way to go. This one is Mauro-approved.
— Update: 20-03-2023 — us.suanoncolosence.com found an additional article How to enable or disable Tamper Protection in Windows 11/10 using GPEDIT or REGEDIT from the website www.thewindowsclub.com for the keyword how to enable tamper protection in windows 10.
Windows Security Team has rolled out Tamper Protection for all Windows users. In this post, we will share how you can enable or disable Tamper Protection in Windows Security or Windows Defender via UI, Registry or InTune. While you can turn it off it, we highly recommend you keep it enabled at all times, for your protection.
What is Tamper Protection in Windows 11/10
In simple English, it makes sure nobody can tamper with the Protection system aka Windows Security. The onboard software is good enough to handle most of the security threats, including Ransomware. But if it is turned off by a third party software or a malware which sneaks in, then you can get into trouble.
Tamper Protection feature in Windows Security makes sure to prevent malicious apps from changing relevant Windows Defender Antivirus settings. Features like Real-time protection, cloud protection are essential to keep you safe from emerging threats. The feature also makes sure that nobody can change or modify the settings via Registry or Group Policy.
Here is what Microsoft says about it:
- To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to Windows Security and update security intelligence to version 1.287.60.0 or later. Once you’ve made this update, Tamper Protection will continue to protect your registry settings and will log attempts to modify them without returning errors.
- If the Tamper Protection setting is On, you won’t be able to turn off the Windows Defender Antivirus service by using the DisableAntiSpyware group policy key.
Tamper Protection is enabled by default for Home users. Keeping Tamper Protection On doesn’t mean that you cannot install third-party antivirus. It only means no other software can change the settings of Windows Security. Third-party antivirus will continue to register with the Windows Security application.
Disable Tamper Protection in Windows Security
While third parties are blocked from making any changes, you as an administrator can make the changes. Even though you can, we will highly recommend you to keep it enabled all the time. You can configure it in three ways:
- Windows Security UI
- Registry changes
- InTune or Microsoft 365 Device Management portal
There is no Group Policy Object to change this setting.
1] Using Windows Security UI to disable or enable Tamper Protection
- Click on the Start button, and from the app list, locate Windows Security. Click to launch when you find it.
- Switch to Virus and Threat protection > Manage Settings
- Scroll a bit to find Tamper Protection. Make sure its toggled On.
- If there is a particular need, you may turn it off, but make sure to turn it on again when work is done.
2] Registry changes to disable or enable Tamper protection
- Open Registry Editor by typing Regedit in the Run Prompt followed by the Enter key
- Navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderFeatures
- Double click on DWORD
TamperProtectionto edit the value. - Set it to “0” to disable Tamper Protection or “5” to enable Tamper Protection
3] Turn Tamper Protection on or off for your organization using Intune
If you are using InTune, i.e. Microsoft 365 Device Management portal, you can use it to Turn Tamper Protection on or off. Apart from having appropriate permissions, you need to have the following:
If you are part of your organization’s security team, you can turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune) assuming your organization has Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP):
- Your organization must have Microsoft Defender ATP E5, Managed by Intune, and running Windows OS 1903 or later.
- Windows security with security intelligence updated to version 1.287.60.0 (or above)
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above)
Now follow the steps to enable or disable Tamper Protection:
- Go to the Microsoft 365 Device Management portal and sign in with your work or school account.
- Select Device configuration > Profiles
- Create a profile that includes the following settings:
- Platform: Windows 10 and later
- ProfileType: Endpoint protection
- Settings > Windows Defender Security Center > Tamper Protection. Configure it on or off
- Assign the profile to one or more groups
If you do not see this option right away, it is still being rolled out.
Whenever a change occurs, an alert will be displayed on the Security Center. The security team can filter from the logs by following the text below:
AlertEvents | where Title == "Tamper Protection bypass"
No Group Policy Object for Tamper Protection
Lastly, there is no Group Policy available to manage multiple computers. A note by Microsoft clearly says:
You can use the Registry method for multiple computers by remotely connecting to that computer, and deploying the change. Once done, this is how it will look in users individual settings:
We hope the steps were easy to follow, and you were able to enable or disable Tamper Protection as per your requirement.
Source: https://www.anoopcnair.com/protect-security-tamper-protection-in-windows/