Okay so, I care about security, I understand the value, I accept why it is implemented the way it is, I think it's overall a positive move. However, I see a big issue i'm not seeing a real solution to. Say I get 200 new Windows 10 machines, they will come Windows Defender and Tamper Protection enabled out the box, so far so good. Lets understand and accept the context that I do not have Intune, I don't plan to use Intune, instead like most businesses I rely on group policy and powershell to manage the 200 devices, so far so good. If i try to use powershell or group policy to disable windows defender it wont have any effect. That i accept, its not supported, you're protecting me, windows is a service, tamper protection protects me even from bad admins, good good good and good. However! Windows Defender PUA (potentially unwanted application) protection is disabled by default, Network Protection (like system wide smart screen) is disabled by default, ASR (attack surface reduction) rules are disabled by default. So I go off and do my little powershell thing to enable those defender features on those 200 machines. (Set-MpPreference -PUAProtection Enabled Set-MpPreference -EnableNetworkProtection Enabled Set-MpPreference -AttackSurfaceReductionRules_Ids blah blah blah) I then wanna check that its worked as intended so I do a Get-MpPreference and they'll report back that those features are enabled as I configured them, everything is fine right? wrong! Tamper Protection means PUA/network/ASR protections are still disabled even when powershell reports they are now turned on. The only way i can be sure is to physically connect to the machine and run evaluations to check the features are functioning, and they are not functioning, despite the fact that Get-MpPreference implies otherwise. Is it really the case, that i have to go to every single one of these 200 machines, turn off tamper protection, enable PUA protection, enable network protection, enable ASR rules, and then turn tamper protection back on? Thats really what i have to do to enable these basic security features? One by one on all 200 machines? and then i still cant check remotely on a regular basis if they are on because the powershell is a lie? There's the view that defender isn't that good, and i tell people it is good, and the thing holding it back is mainly that PUA detection is off by default, unlike every other AV on the market (thats how malwarebytes got its fame, its not actually better). My advice to those people is to turn on PUA protection on via group policy or powershell, and consider turning on network protection, implementing the ASR rules. But now doing so will have no effect, because tamper protection blocks them. and even worse, group policy and powershell both imply to administrators that the features are enabled and running, when they're actually completely disabled! I'm all for tamper protection, but forcing me to use intune just to enable PUA protection is terrible! and what about home users? why is there no option for PUA protection in the security centre gui???? Tamper protection has been around since April, i've used it, the documentation was originally brief and incorrect (might still be), i've learnt it was what broke these security features from being enabled, i assumed it'd be getting fixed in 19h2 or 20h1. Now you're saying no, its not being fixed, but instead its being rolled out and turned on by default so basic critical features such as blocking known malicious software and known malicious websites are now prevented from being enabled by the people that need the protection the most?? I mean no disrespect at all but I simply cannot log into all 200 computers one by one to disable tamper protection (which i want enabled) to enable security features that should be on by default. Does nobody else see this as a massive issue?? It seems like one step forward and two steps back. And holding back basic functionality and using it to shill Azure AD and Intune is the exact opposite of market leadership, or "advanced threat protection". Please please address this, and i apologise for my impolite tone and general rant, it is not intended at anybody specifically. (PS I genuine wish Microsoft followed through with important projects like nano server and REFS that were thrown to one side because despite being the future turns out you can save money for a couple quarters by giving up and screwing stakeholders. This seems like one of those things.)
Microsoft