Home
%3CLINGO-SUB%20id%3D%22lingo-sub-389571%22%20slang%3D%22en-US%22%3ETamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389571%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20committed%20to%20making%20our%20solutions%20resistant%20to%20attacks%20and%20continuously%20working%20towards%20raising%20the%20bar%20in%20security.%20In%20this%20blog%20we%E2%80%99re%20covering%20the%20tamper%20protection%20feature%20in%20our%20antimalware%20solution.%20This%20feature%26nbsp%3Bbuilds%20on%20our%20previously%20announced%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2018%2F10%2F26%2Fwindows-defender-antivirus-can-now-run-in-a-sandbox%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Defender%20Antivirus%20sandboxing%20capability%3C%2FA%3E%20and%20expands%20existing%20tamper%20protection%20strategies%20across%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindowsforbusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Defender%20Advanced%20Threat%20Protection%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETamper%20protection%20is%20a%20new%20setting%20available%20in%20the%20Windows%20Security%20app%20which%20provides%20additional%20protections%20against%20changes%20to%20key%20security%20features%2C%20including%20limiting%20changes%20that%20are%20not%20made%20directly%20through%20the%20app.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20a%20home%20user%2C%20you%20can%20toggle%20the%20setting%20from%20the%20Virus%20%26amp%3B%20threat%20protection%20settings%20area%20in%20the%20app.%20For%20enterprise%20environments%2C%20the%20setting%20can%20be%20managed%20centrally%20through%20the%20Intune%20management%20portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20continuing%20to%20work%20on%20the%20feature%2C%20but%20the%20current%20version%20of%20the%20setting%20is%20available%20to%20Windows%20Insiders%20today.%20The%20full%20functionality%20of%20the%20feature%20(including%20support%20for%20enterprise-level%20management)%20will%20be%20released%20along%20with%20the%20upcoming%20release%20of%20Windows%2010.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20989px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100287iA445E1254049AE5C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22windows-security-tamper-protection.jpg%22%20title%3D%22windows-security-tamper-protection.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnabling%20this%20feature%20prevents%20others%20(including%20malicious%20apps)%20from%20changing%20important%20protection%20features%20such%20as%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EReal-time%20protection%2C%20which%20is%20the%20core%20antimalware%20scanning%20feature%20of%20Microsoft%20Defender%20ATP%20next%20gen%20protection%20and%20should%20rarely%2C%20if%20ever%2C%20be%20disabled%3C%2FLI%3E%0A%3CLI%3ECloud-delivered%20protection%2C%20which%20uses%20our%20cloud-based%20detection%20and%20prevention%20services%20to%20block%20never-before%20seen%20malware%20within%20seconds%3C%2FLI%3E%0A%3CLI%3EIOAV%2C%20which%20handles%20the%20detection%20of%20suspicious%20files%20from%20the%20Internet%3C%2FLI%3E%0A%3CLI%3EBehavior%20monitoring%2C%20which%20works%20with%20real-time%20protection%20to%20analyze%20and%20determine%20if%20active%20processes%20are%20behaving%20in%20a%20suspicious%20or%20malicious%20way%20and%20blocks%20them%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20feature%20also%20prevents%20the%20deletion%20of%20security%20intelligence%20updates%20and%20the%20disabling%20of%20the%20entire%20antimalware%20solution.%20Note%3A%20There's%20no%20change%20in%20the%20way%20third-party%20antivirus%20solutions%20are%20registered%20with%20the%20Windows%20Security%20app.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Windows%20home%20users%2C%20the%20feature%20will%20be%20On%20by%20default%20when%20Windows%20is%20installed.%20If%20you%20are%20upgrading%20and%20Cloud-delivered%20protection%20is%20enabled%2C%20then%20the%20tampering%20protection%20feature%20will%20also%20be%20turned%20On.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20enterprise%20E5%20customers%20(such%20as%20those%20with%20a%20Microsoft%20Defender%20ATP%20license)%2C%20this%20feature%20will%20be%20opt-in%20and%20can%20only%20be%20managed%20from%20the%20Intune%20management%20console.%26nbsp%3BLocal%20device%20admin%20users%20will%20not%20be%20able%20to%20change%20the%20setting.%20This%20ensures%20that%20even%20malicious%20apps%20%E2%80%93%20or%20malicious%20actors%20%E2%80%93%20can%E2%80%99t%20locally%20override%20the%20setting.%20Note%20that%20enterprise%20management%20is%20not%20available%20in%20current%20preview%20versions%20of%20Windows%2010%2C%20but%20we%E2%80%99ll%20be%20bringing%20it%20to%20preview%20shortly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20881px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100288i2563A5D7E43671BB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22windows-security-tamper-protection-enterprise.png%22%20title%3D%22windows-security-tamper-protection-enterprise.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENow%20in%20limited%20preview%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20continuing%20to%20work%20on%20this%20feature%2C%20and%20you%20can%20test%20it%20out%20now%20on%20any%20recent%20Windows%20Insider%20build%20released%20during%20March%202019%20or%20later.%20If%20you%E2%80%99d%20like%20to%20test%20this%20feature%2C%20please%20send%20us%20feedback%20via%20the%20Feedback%20Hub%2C%20or%20email%20us%20at%20%3CA%20href%3D%22mailto%3Awdcustomer%40microsoft.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewdcustomer%40microsoft.com%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99d%20love%20to%20have%20you%20on%20the%20journey%20so%20we%20can%20use%20your%20feedback%20and%20insights%20to%20deliver%20strong%20protection%20across%20platforms.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20yet%20reaping%20the%20benefits%20of%20Microsoft%20Defender%20ATP%E2%80%99s%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Defender-ATP%2FMITRE-evaluation-highlights-industry-leading-EDR-capabilities-in%2Fba-p%2F369831%22%20target%3D%22_self%22%3Eindustry-leading%20optics%20and%20detection%20capabilities%3C%2FA%3E%3F%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindowsforbusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESign%20up%20for%20free%20trial%20today%3C%2FA%3E%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E%3CSTRONG%3EIaan%20D%E2%80%99Souza-Wiltshire%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FIaanMSFT%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40iaanMSFT%3C%2FA%3E)%20%26amp%3B%20%3CSTRONG%3EShweta%20Jha%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2F%40shwetajha_MS%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40shwetajha_MS%3C%2FA%3E)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMicrosoft%20Defender%20ATP%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-389571%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ETamper%20protection%20is%20a%20new%20setting%20available%20in%20the%20Windows%20Security%20app%20which%20provides%20additional%20protections%20against%20changes%20to%20key%20security%20features%2C%20including%20limiting%20changes%20that%20are%20not%20made%20directly%20through%20the%20app.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20480px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100289i74B3F5AECB957FEB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22windows-security-tamper-protection.png%22%20title%3D%22windows-security-tamper-protection.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401293%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401293%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20enterprise%20management%20really%20only%20be%20limited%20to%20Intune%20MDM%2C%20or%20will%20it%20be%20configurable%20from%20SCCM%20or%20Group%20Policy%20also%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391236%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391236%22%20slang%3D%22en-US%22%3E%3CP%3EI%20expect%20technical%20posts%20from%20the%20PG%2C%20but%20you've%20provided%20neither%20details%20on%20implementation%20nor%20any%20examples%20of%20real-world%20scenarios%20in%20which%20this%20protection%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EEnabling%20this%20feature%20prevents%20others%20(including%20malicious%20apps)%3C%2FEM%3E%3C%2FP%3E%3CP%3EWhat%20does%20%22others%22%20mean%3F%20If%20a%20script%20runs%20under%20my%20user%20account%20and%20disables%20Defender%20via%20the%20group%20policy%2C%20is%20this%20me%20or%20others%3F%20How%20do%20you%20differentiate%20me%20from%20others%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389789%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389789%22%20slang%3D%22en-US%22%3E%3CP%3EShould%20we%20already%20be%20able%20to%20enable%20this%20tamper%20protection%20within%20Intune%20in%20advance%20of%20the%20release%2C%20or%20is%20that%20forthcoming%3F%20I'm%20unable%20to%20find%20this%20setting%20in%20Intune.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-452026%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-452026%22%20slang%3D%22en-US%22%3E%3CP%3EIntune%20management%20is%20still%20under%20development%20and%20yet%20to%20come.%20Management%20for%20this%20feature%20will%20be%20limited%20to%20Intune%20(MDM%2FCSP)%20channel%20only%20to%20start%20with.%20%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F138800%22%20target%3D%22_blank%22%3E%40Eric%20Avena%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EWe%20are%20committed%20to%20making%20our%20solutions%20resistant%20to%20attacks%20and%20continuously%20working%20towards%20raising%20the%20bar%20in%20security.%20In%20this%20blog%20we%E2%80%99re%20covering%20the%20tamper%20protection%20feature%20in%20our%20antimalware%20solution.%20This%20feature%26nbsp%3Bbuilds%20on%20our%20previously%20announced%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2018%2F10%2F26%2Fwindows-defender-antivirus-can-now-run-in-a-sandbox%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Defender%20Antivirus%20sandboxing%20capability%3C%2FA%3E%20and%20expands%20existing%20tamper%20protection%20strategies%20across%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindowsforbusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Defender%20Advanced%20Threat%20Protection%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETamper%20protection%20is%20a%20new%20setting%20available%20in%20the%20Windows%20Security%20app%20which%20provides%20additional%20protections%20against%20changes%20to%20key%20security%20features%2C%20including%20limiting%20changes%20that%20are%20not%20made%20directly%20through%20the%20app.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20a%20home%20user%2C%20you%20can%20toggle%20the%20setting%20from%20the%20Virus%20%26amp%3B%20threat%20protection%20settings%20area%20in%20the%20app.%20For%20enterprise%20environments%2C%20the%20setting%20can%20be%20managed%20centrally%20through%20the%20Intune%20management%20portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20continuing%20to%20work%20on%20the%20feature%2C%20but%20the%20current%20version%20of%20the%20setting%20is%20available%20to%20Windows%20Insiders%20today.%20The%20full%20functionality%20of%20the%20feature%20(including%20support%20for%20enterprise-level%20management)%20will%20be%20released%20along%20with%20the%20upcoming%20release%20of%20Windows%2010.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20989px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100287iA445E1254049AE5C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22windows-security-tamper-protection.jpg%22%20title%3D%22windows-security-tamper-protection.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnabling%20this%20feature%20prevents%20others%20(including%20malicious%20apps)%20from%20changing%20important%20protection%20features%20such%20as%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EReal-time%20protection%2C%20which%20is%20the%20core%20antimalware%20scanning%20feature%20of%20Microsoft%20Defender%20ATP%20next%20gen%20protection%20and%20should%20rarely%2C%20if%20ever%2C%20be%20disabled%3C%2FLI%3E%0A%3CLI%3ECloud-delivered%20protection%2C%20which%20uses%20our%20cloud-based%20detection%20and%20prevention%20services%20to%20block%20never-before%20seen%20malware%20within%20seconds%3C%2FLI%3E%0A%3CLI%3EIOAV%2C%20which%20handles%20the%20detection%20of%20suspicious%20files%20from%20the%20Internet%3C%2FLI%3E%0A%3CLI%3EBehavior%20monitoring%2C%20which%20works%20with%20real-time%20protection%20to%20analyze%20and%20determine%20if%20active%20processes%20are%20behaving%20in%20a%20suspicious%20or%20malicious%20way%20and%20blocks%20them%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20feature%20also%20prevents%20the%20deletion%20of%20security%20intelligence%20updates%20and%20the%20disabling%20of%20the%20entire%20antimalware%20solution.%20Note%3A%20There's%20no%20change%20in%20the%20way%20third-party%20antivirus%20solutions%20are%20registered%20with%20the%20Windows%20Security%20app.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Windows%20home%20users%2C%20the%20feature%20will%20be%20On%20by%20default%20when%20Windows%20is%20installed.%20If%20you%20are%20upgrading%20and%20Cloud-delivered%20protection%20is%20enabled%2C%20then%20the%20tampering%20protection%20feature%20will%20also%20be%20turned%20On.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20enterprise%20E5%20customers%20(such%20as%20those%20with%20a%20Microsoft%20Defender%20ATP%20license)%2C%20this%20feature%20will%20be%20opt-in%20and%20can%20only%20be%20managed%20from%20the%20Intune%20management%20console.%26nbsp%3BLocal%20device%20admin%20users%20will%20not%20be%20able%20to%20change%20the%20setting.%20This%20ensures%20that%20even%20malicious%20apps%20%E2%80%93%20or%20malicious%20actors%20%E2%80%93%20can%E2%80%99t%20locally%20override%20the%20setting.%20Note%20that%20enterprise%20management%20is%20not%20available%20in%20current%20preview%20versions%20of%20Windows%2010%2C%20but%20we%E2%80%99ll%20be%20bringing%20it%20to%20preview%20shortly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20881px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100288i2563A5D7E43671BB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22windows-security-tamper-protection-enterprise.png%22%20title%3D%22windows-security-tamper-protection-enterprise.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENow%20in%20limited%20preview%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20continuing%20to%20work%20on%20this%20feature%2C%20and%20you%20can%20test%20it%20out%20now%20on%20any%20recent%20Windows%20Insider%20build%20released%20during%20March%202019%20or%20later.%20If%20you%E2%80%99d%20like%20to%20test%20this%20feature%2C%20please%20send%20us%20feedback%20via%20the%20Feedback%20Hub%2C%20or%20email%20us%20at%20%3CA%20href%3D%22mailto%3Awdcustomer%40microsoft.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewdcustomer%40microsoft.com%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99d%20love%20to%20have%20you%20on%20the%20journey%20so%20we%20can%20use%20your%20feedback%20and%20insights%20to%20deliver%20strong%20protection%20across%20platforms.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20yet%20reaping%20the%20benefits%20of%20Microsoft%20Defender%20ATP%E2%80%99s%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Defender-ATP%2FMITRE-evaluation-highlights-industry-leading-EDR-capabilities-in%2Fba-p%2F369831%22%20target%3D%22_self%22%3Eindustry-leading%20optics%20and%20detection%20capabilities%3C%2FA%3E%3F%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindowsforbusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESign%20up%20for%20free%20trial%20today%3C%2FA%3E%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E%3CSTRONG%3EIaan%20D%E2%80%99Souza-Wiltshire%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FIaanMSFT%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40iaanMSFT%3C%2FA%3E)%20%26amp%3B%20%3CSTRONG%3EShweta%20Jha%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2F%40shwetajha_MS%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40shwetajha_MS%3C%2FA%3E)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMicrosoft%20Defender%20ATP%3C%2FEM%3E%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482943%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482943%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20aware%20that%20having%20this%20feature%20on%20breaks%20your%20own%20%22Turn%20off%20Windows%20Defender%20Antivirus%22%20policy%3F%26nbsp%3B%20%22Breaks%22%20as%20in%20has%20no%20effect%20unless%20Tamper%20Protection%20is%20off%3F%26nbsp%3B%20I'm%20thinking%20that%20shouldn't%20be%20by%20design%2C%20if%20it%20is.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-536518%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-536518%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Brian%20-%20Would%20you%20please%20be%20able%20to%20provide%20more%20details%20about%20your%20scenario%20and%20which%20MS%20policy%20you%20are%20talking%20about%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-538771%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-538771%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20too%20much%20more%2C%20since%20that%20is%20its%20exact%20name.%20It's%20located%20in%20Computer%20Configuration%2FAdministrative%20Templates%2FWindows%20Components%2FWindows%20Defender%20Antivirus.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20scenario%20is%20anyone%20who%20wants%20to%20use%20the%20above%20policy%20will%20be%20blindsided%20by%20the%20fact%20that%20it%20no%20longer%20works%20without%20a)%20knowing%20about%20Tamper%20Protection%2C%20and%20b)%20disabling%20it.%20The%20description%20for%20the%20policy%20I%20mentioned%2C%20at%20the%20very%20least%2C%20should%20be%20updated%20to%20reflect%20this%20new%20reality.%20Unless%20it's%20a%20bug%2C%20in%20which%20case%20it%20should%20be%20fixed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539151%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539151%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20pointing%20this%20out%20Brian.%20We%20will%20get%20GP%20policy%20description%20updates.%20Please%20note%20that%20disableantispyware%20is%20not%20supported%20way%20to%20turn%20defender%20off.%20See%20the%20documentation%20here%20%3A%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fcustomize%2Fdesktop%2Funattend%2Fsecurity-malware-windows-defender-disableantispyware%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fcustomize%2Fdesktop%2Funattend%2Fsecurity-malware-windows-defender-disableantispyware%3C%2FA%3E.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EWe%20have%20KB%20article%20having%20this%20note%20added%20as%20well%20%3A%26nbsp%3B%3C%2FFONT%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4490103%2Fwindows-10-prevent-changes-to-security-settings-with-tamper-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4490103%2Fwindows-10-prevent-changes-to-security-settings-with-tamper-protection%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539168%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539168%22%20slang%3D%22en-US%22%3E%3CP%3EYou're%20pointing%20to%20autounattend.xml%20parameters%20docs%20and%20claiming%20that%20the%20group%20policy%20is%20not%20supported.%20Please%20get%20your%20story%20straight.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAnd%20btw%2C%20where's%20the%20tamper%20protection%20documentation%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EYou%20probably%20have%20your%20own%20group%20policy%20for%20tamper%20protection.%20Then%20you%20should%20document%20it.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAre%20there%20any%20other%20group%20policies%20that%20aren't%20compatible%3F%20Document%20it.%20We%20should%20not%20be%20finding%20this%20out%20by%20trial%20and%20error...%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20MSKB%20article%20is%20pathetic.%20And%20while%20I'm%20on%20it%2C%20you%20should%20provide%20the%20full%20(official)%20group%20policy%20name%20instead%20of%20some%20%22key%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539223%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539223%22%20slang%3D%22en-US%22%3E%3CP%3ERight%2C%20that%20unattended%20setting%2C%20which%20I%20didn't%20know%20existed%2C%20isn't%20what%20I%20was%20talking%20about.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539232%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539232%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20Brian%2C%20underneath%20its%20the%20same%20GP%20policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539235%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539235%22%20slang%3D%22en-US%22%3E%3CP%3EOK%2C%20but%20the%20article%20saying%20it's%20not%20%22supported%22%20doesn't%20really%20track%2C%20does%20it%3F%26nbsp%3B%20Because%20it's%20an%20official%20group%20policy%2C%20and%20there's%20no%20hint%20that%20it's%20not%20supported.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20that's%20not%20a%20supported%20method%2C%20what%20is%3F!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539246%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539246%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20question%20is%20why%20do%20you%20want%20to%20turn%20off%20windows%20defender%3F%20I%20would%20like%20to%20udnerstand%20your%20usecase.%20Windows%20Defender%26nbsp%3B%20comes%20with%20OS%20and%20it%20remains%20on%2C%20unless%20any%20other%203P%20AV%20is%20registered%20with%20Windows%20Security%20App.%20Once%20the%20other%20AV%20is%20registered%20with%20WSC%2C%20windows%20defender%20AV%20automatically%20goes%20into%20disable%20mode%2C%20and%20this%20is%20the%20only%20supported%20way%20to%20disable%20defender.%20Happy%20to%20schedule%20sometime%20and%20talk.%20Let%20me%20know.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539302%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539302%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20the%20question%20is%20why%20a%20major%20security%20feature%20is%20being%20released%20without%20proper%20documentation%2C%20including%20its%20impact%20on%20other%20features%20such%20as%20Group%20Policies.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20your%20statement%20that%20disabling%20WD%20%5Bvia%20the%20Group%20Policy%5D%20is%20not%20supported%2C%20I'd%20like%20to%20see%20a%20clear%20and%20relevant%20documentation%20(not%20the%20one%20on%20the%20answer%20file%20settings)%20as%20well%20as%20a%20conclusive%20statement%20in%20the%20Group%20Policy%20which%20currently%20supports%20at%20least%20Vista.%20(And%20yes%2C%20I%20see%20the%20%3CEM%3Erecommendation%3C%2FEM%3E%20at%20the%20bottom%20of%20the%20GP%20description).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20680px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112414iD33FE2CB4B0B2E67%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22wd.png%22%20title%3D%22wd.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet's%20schedule%20a%20talk%20about%20this!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-541467%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-541467%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20much%20agreed%2C%20on%20the%20last%20post.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20to%20answer%20Shweta's%20question%2C%20I%20like%20to%20disable%20it%20in%20test%20VMs%2C%20since%20they're%20already%20slow%20enough.%20This%20makes%20them%20more%20usable.%20Having%20AV%20in%20such%20an%20environment%20is%20completely%20N%2FA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-545356%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-545356%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vadim%2C%20as%20I%20said%20before%2C%20we%20will%20get%20GP%20description%20updated.%20Please%20note%20that%20feature%20is%20still%20in%20the%20preview%20and%20official%20document%20is%20yet%20to%20come.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBrian%20-%20Defender%20is%20doign%20what%20it%20is%20supposed%20to%20do%2C%20in%20case%20you%20are%20certain%20about%20the%20environment%20and%20do%20not%20want%20any%20RTP%20overhead%2C%20you%20can%20use%20exclusions%20%3A%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fconfigure-exclusions-windows-defender-antivirus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fconfigure-exclusions-windows-defender-antivirus%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-545452%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-545452%22%20slang%3D%22en-US%22%3EShweta%2C%20there's%20no%20harm%20in%20publishing%20a%20documentation%20preview%20when%20you%20release%20a%20feature%20preview.%20GA%20is%20the%20end%20of%20May%2C%20your%20feature%20set%20is%20ready.%20Please%20send%20a%20comment%20when%20you%20publush%20your%20docs%20so%20we%20can%20see%20how%20serious%20you're.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-549655%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-549655%22%20slang%3D%22en-US%22%3E%3CP%3EShweta%2C%20excluding%20everything%20a)%20isn't%20possible%20and%20b)%20is%20counterproductive.%20I'll%20just%20continue%20to%20disable%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20give%20us%20a%20preview%20of%20what%20the%20updated%20GP%20description%20is%20going%20to%20say%3F%26nbsp%3B%20Is%20it%20that%20it%20has%20a%20dependency%20on%20Tamper%20protection%20(which%2C%20btw%2C%20should%20have%20its%20own%20policy--why%20doesn't%20it%3F)%2C%20or%20what%2C%20that%20we're%20only%20supposed%20to%20look%20at%20it%20longingly%20but%20not%20use%20it%20because%20it%20might%20be%20deprecated%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20think%20you've%20outright%20confirmed%20that%20it's%20%3CEM%3Eintended%3C%2FEM%3E%20to%20have%20said%20dependency.%20You've%20been%20a%20little%20cryptic.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-549814%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-549814%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20tamper%20protection%20also%20prevent%20installation%20of%20third%20party%20AV's%3F%3C%2FP%3E%3CP%3E(As%20we%20have%20a%20group%20of%20dev%20machines%20that%20require%20local%20admin%2C%20and%20I'd%20still%20like%20to%20prevent%20them%20from%20installing%20other%20AV's%20or%20at%20least%20not%20disable%20Defender%20when%20they%20are%20installed)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-569838%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-569838%22%20slang%3D%22en-US%22%3E%3CP%3EDisappointed%20overall%2C%20I%20mean%20this%20Defender%20ATP%20in%20general%20seemed%20so%20enterprise%20grade%20but%20when%20you%20really%20start%20trailing%20it%20the%20limited%20support%20for%20various%20OS's%2C%20etc.%2C%20is%20just%20too%20much%2C%20outside%20of%20Windows%2010%20almost%20everything%20has%20an%20exception.%26nbsp%3B%20Additionally%20it%20doesn't%20seem%20Device%20Threat%20Status%20even%20works%20in%20Intune%20without%20having%20your%20device%20both%20MDM%20Managed%20and%20Azure%20AD%20Domain%20Joined%2C%20MDM%20Managed%20with%20Azure%20AD%20Registered%20and%20the%20status%20never%20changes%20from%20deactivated.%26nbsp%3B%20This%20seems%20strange%20as%20I%20would%20think%20many%20would%20want%20to%20use%20this%20as%20part%20of%20managing%20security%20on%20BYOD%20devices%20as%20well%2C%20it%20almost%20forces%20you%20to%20get%20a%20package%20from%20a%203rd%20party%20to%20address%20the%20all%20up%20concern%2C%20most%20of%20us%20don't%20need%20another%20console%2C%20I%20wanted%20to%20love%20this%20solution%20but%20it%20feels%20a%20year%20or%20two%20away%20from%20being%20ready.%26nbsp%3B%20I%20will%20note%20that%20the%20device%20threat%20level%20detection%20works%20fine%20in%20the%20defender%20security%20center%20but%20losing%20the%20ability%20to%20control%20access%20via%20MCAS%20is%20unfortunate.%26nbsp%3B%20Are%20there%20plans%20to%20enable%20this%20without%20AZ%20AD%20Join%20required%3F%26nbsp%3B%20Any%20updates%20on%20the%20tamper%20protection%2C%20I%20was%20wondering%20why%20the%20setting%20was%20disabled%20with%20no%20way%20to%20manage%20it%20in%20Intune%20or%20locally.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792235%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792235%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%201903%20with%201903%20GPO%20templates%20but%20I%20can't%20enable%20Tamper%20protection%20through%20GPO%20for%20all%20machines.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsers%20are%20constantly%20asking%20question%20about%20that%20!!!!%20mark%20on%20the%20defender%20logo.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20isn't%20this%20integrated%20in%20the%20GPO%20templates%3F!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788839%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788839%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20and%20how%20will%20tamper%20protection%20be%20available%20in%20windows%2010%20business%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20PCs%20running%201903%20but%20tamper%20protection%20not%20showing%20in%20virus%20settings%20page%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20seen%20registry%20key%20values%20of%200%20to%20disable%20and%205%20to%20enable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20tamper%20key%20on%20my%20customer%E2%80%99s%20systems%20is%20set%20to%202%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emore%20interesting%20is%20that%20attempts%20to%20change%20the%20value%20to%200%20or%205%20are%20blocked%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20leads%20me%20to%20thinking%20it%20is%20actually%20enabled%20but%20with%20no%20guidance%20on%20how%20to%20enable%20disable%20or%20config%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792472%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792472%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300463%22%20target%3D%22_blank%22%3E%40Sentry23%3C%2FA%3Ethere%20is%20not%20change%20in%20the%20way%203rd%20party%20AV%20registers%20with%20windows%20security%20app.%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESee%20below%20documentation%20for%20more%20details%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792473%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792473%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388300%22%20target%3D%22_blank%22%3E%40stadmin%3C%2FA%3E%26nbsp%3BGPO%20can%20be%20altered%20by%20local%20admin%20on%20the%20device%20and%20easy%20to%20tampered%20with.%20If%20you%20are%20home%20user%20you%20can%20turn%20feature%20on%2Foff%20from%20windows%20security%20app.%20If%20you%20are%20MDATP%20E5%20customer%2C%20%26nbsp%3BTamper%20protection%20setting%20on%2Foff%20is%20managed%20from%20Intune%2C%20a%20secure%20payload%20issued%20by%20defender%20cloud%20for%20the%20organization%20to%20turn%20the%20feature%20on%2Foff%20%26nbsp%3B(note%3A%20MDATP%20E5%20version%20is%20yet%20to%20be%20GA).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792476%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792476%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20documentation%20is%20a%20copy-paste%20of%20this%20blog%20post.%20You're%20being%20asked%20where%20the%20GP%20for%20the%20new%20feature%20is%2C%20but%20you%20don't%20say%20you%20don't%20have%20it.%20Can't%20you%20give%20a%20clear%20a%20precise%20answer%3A%20%3CEM%3Eyes%2C%20this%20is%20the%20%3CPOLICY%20name%3D%22%22%3E%3C%2FPOLICY%3E%3C%2FEM%3E%26nbsp%3Bor%20%3CEM%3Eno%2C%20we%20don't%20have%20it%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20seriously%20saying%20you%20don't%20have%20GPO%20because%20the%20local%20admin%20can%20alter%20it%3F%20But%20then%20local%20admin%20can%20disable%20your%20new%20feature%20and%20change%20anything.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792477%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792477%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F250160%22%20target%3D%22_blank%22%3E%40enspireditaa%3C%2FA%3E%26nbsp%3B%20-%20is%20your%20device%20managed%20or%20non%20managed%3F%20value%202%20means%20the%20feature%20is%20not%20supported%20on%20the%20device.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERequest%20you%20to%20please%20log%20a%20bug%20using%20feedback%20hub%20%2C%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4021566%2Fwindows-10-send-feedback-to-microsoft-with-feedback-hub-app%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4021566%2Fwindows-10-send-feedback-to-microsoft-with-feedback-hub-app%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ERequest%20you%20to%20please%20also%20add%20support%20cab%3C%2FP%3E%0A%3CP%3E%3CEM%3EFrom%20admin%20cmd.exe%20run%20below%20command%20and%20copy%20cab%20file%20generated.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EFile%20path%20will%20be%20shown%20at%20the%20end%20of%20output%20of%20getfiles%20command%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EC%3A%5CProgram%20Files%5CWindows%20Defender%5CMpCmdRun.exe%20-GetFiles%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792487%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226354%22%20target%3D%22_blank%22%3E%40Vadim%20Sterkin%3C%2FA%3E_%20Tamper%20protection%20feature%20is%20a%20secure%20setting%20and%20does%20not%20have%20GP%2C%20you%20can't%20really%20manage%20the%20feature%20using%20GP.%20If%20you%20are%20home%20user%2C%20you%20can%20turn%20the%20feature%20on%2Foff%20from%20Windows%20Security%20App.%20For%20Microsoft%20Defender%20ATP%26nbsp%3B%20enterprise%20customers%20feature%20can%20be%20managed%20from%20Intune%20only%20(currently%20in%20preview).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792490%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792490%22%20slang%3D%22en-US%22%3EOh%2C%20finally.%20This%20should%20be%20in%20the%20documentation!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792493%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792493%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline-block%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20padding-top%3A%2010px%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20vertical-align%3A%20top%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Contributor%20lia-component-message-view-widget-author-username%22%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20white-space%3A%20nowrap%3B%22%3E%3CA%20id%3D%22link_56%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23666666%3B%20font-weight%3A%20normal%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1392%22%20target%3D%22_self%22%3E%3C%2FA%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1392%22%20target%3D%22_blank%22%3E%40Jerod%20Powell%3C%2FA%3Eif%20you%20are%20MDATP%20E5%20customers%2C%20feature%20management%20from%20Intune%20is%20currently%20available%20in%20private%20preview%20mode%20.%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline-block%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20padding-top%3A%2010px%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20vertical-align%3A%20top%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Contributor%20lia-component-message-view-widget-author-username%22%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20white-space%3A%20nowrap%3B%22%3ELet%26nbsp%3B%20me%20know%20if%20you%20would%20like%20to%20try%20the%20feautre%20out%20and%20provide%20feedback.%20Your%20feedback%20is%20important%20to%20us%20and%20will%20help%20in%20shaping%20up%20the%20feature.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806520%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806520%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20will%20this%20be%20supported%20for%20managed%20devices%20in%20Microsoft%20365%20business%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20keep%20my%20customers%20safe%20from%20trickbot's%20disabling%20of%20defender%20in%20the%20meantime%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806597%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806597%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102825%22%20target%3D%22_blank%22%3E%40Shweta%20Jha%3C%2FA%3E%26nbsp%3BI'd%20be%20happy%20to%20try%20out%20the%20Intune%20private%20preview%20if%20Jerod%20isn't%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E.%20We're%20MDATP%20E5.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-807370%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-807370%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F250160%22%20target%3D%22_blank%22%3E%40enspireditaa%3C%2FA%3E-%20Defender%20is%20able%20to%20detect%20and%20remediate%20trickbot's%20if%20your%20device%20has%2Fhad%20latest%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwdsi%2Fdefenderupdates%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esecurity%20intelligence%20update%3C%2FA%3Eand%2For%20has%20cloud%20protection%20feature%20turned%20on.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-807425%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-807425%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226354%22%20target%3D%22_blank%22%3E%40Vadim%20Sterkin%3C%2FA%3E%26nbsp%3B%20-%20thanks%20for%20your%20feedback%2C%20we%20have%20documentation%20updated%20(See%20FAQ%20section).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-808779%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-808779%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102825%22%20target%3D%22_blank%22%3E%40Shweta%20Jha%3C%2FA%3Ethanks%20much%20-%20could%20you%20please%20elaborate%20on%20what%20protection%20is%20provided%20by%20cloud%20protection%20compared%20to%20tamper%20protection%3F%3C%2FP%3E%3CP%3EAlso%2C%20any%20plans%20to%20add%20some%20or%20all%20of%20Defender%20ATP%20to%20365%20Business%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

We are committed to making our solutions resistant to attacks and continuously working towards raising the bar in security. In this blog we’re covering the tamper protection feature in our antimalware solution. This feature builds on our previously announced Windows Defender Antivirus sandboxing capability and expands existing tamper protection strategies across Microsoft Defender Advanced Threat Protection.

 

Tamper protection is a new setting available in the Windows Security app which provides additional protections against changes to key security features, including limiting changes that are not made directly through the app.

 

If you are a home user, you can toggle the setting from the Virus & threat protection settings area in the app. For enterprise environments, the setting can be managed centrally through the Intune management portal.

 

We’re continuing to work on the feature, but the current version of the setting is available to Windows Insiders today. The full functionality of the feature (including support for enterprise-level management) will be released along with the upcoming release of Windows 10.

 

windows-security-tamper-protection.jpg

 

Enabling this feature prevents others (including malicious apps) from changing important protection features such as:

 

  • Real-time protection, which is the core antimalware scanning feature of Microsoft Defender ATP next gen protection and should rarely, if ever, be disabled
  • Cloud-delivered protection, which uses our cloud-based detection and prevention services to block never-before seen malware within seconds
  • IOAV, which handles the detection of suspicious files from the Internet
  • Behavior monitoring, which works with real-time protection to analyze and determine if active processes are behaving in a suspicious or malicious way and blocks them

 

The feature also prevents the deletion of security intelligence updates and the disabling of the entire antimalware solution. Note: There's no change in the way third-party antivirus solutions are registered with the Windows Security app. 

 

For Windows home users, the feature will be On by default when Windows is installed. If you are upgrading and Cloud-delivered protection is enabled, then the tampering protection feature will also be turned On.

 

For enterprise E5 customers (such as those with a Microsoft Defender ATP license), this feature will be opt-in and can only be managed from the Intune management console. Local device admin users will not be able to change the setting. This ensures that even malicious apps – or malicious actors – can’t locally override the setting. Note that enterprise management is not available in current preview versions of Windows 10, but we’ll be bringing it to preview shortly.

 

windows-security-tamper-protection-enterprise.png

 

Now in limited preview

 

We’re continuing to work on this feature, and you can test it out now on any recent Windows Insider build released during March 2019 or later. If you’d like to test this feature, please send us feedback via the Feedback Hub, or email us at wdcustomer@microsoft.com.

 

We’d love to have you on the journey so we can use your feedback and insights to deliver strong protection across platforms.

 

Not yet reaping the benefits of Microsoft Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.

 


Iaan D’Souza-Wiltshire (@iaanMSFT) & Shweta Jha (@shwetajha_MS)
Microsoft Defender ATP

34 Comments
Senior Member

Should we already be able to enable this tamper protection within Intune in advance of the release, or is that forthcoming? I'm unable to find this setting in Intune.

Occasional Contributor

I expect technical posts from the PG, but you've provided neither details on implementation nor any examples of real-world scenarios in which this protection works.

 

Enabling this feature prevents others (including malicious apps)

What does "others" mean? If a script runs under my user account and disables Defender via the group policy, is this me or others? How do you differentiate me from others? 

 

Occasional Contributor

Will enterprise management really only be limited to Intune MDM, or will it be configurable from SCCM or Group Policy also?

Microsoft

Intune management is still under development and yet to come. Management for this feature will be limited to Intune (MDM/CSP) channel only to start with.  


@Eric Avena wrote:

We are committed to making our solutions resistant to attacks and continuously working towards raising the bar in security. In this blog we’re covering the tamper protection feature in our antimalware solution. This feature builds on our previously announced Windows Defender Antivirus sandboxing capability and expands existing tamper protection strategies across Microsoft Defender Advanced Threat Protection.

 

Tamper protection is a new setting available in the Windows Security app which provides additional protections against changes to key security features, including limiting changes that are not made directly through the app.

 

If you are a home user, you can toggle the setting from the Virus & threat protection settings area in the app. For enterprise environments, the setting can be managed centrally through the Intune management portal.

 

We’re continuing to work on the feature, but the current version of the setting is available to Windows Insiders today. The full functionality of the feature (including support for enterprise-level management) will be released along with the upcoming release of Windows 10.

 

windows-security-tamper-protection.jpg

 

Enabling this feature prevents others (including malicious apps) from changing important protection features such as:

 

  • Real-time protection, which is the core antimalware scanning feature of Microsoft Defender ATP next gen protection and should rarely, if ever, be disabled
  • Cloud-delivered protection, which uses our cloud-based detection and prevention services to block never-before seen malware within seconds
  • IOAV, which handles the detection of suspicious files from the Internet
  • Behavior monitoring, which works with real-time protection to analyze and determine if active processes are behaving in a suspicious or malicious way and blocks them

 

The feature also prevents the deletion of security intelligence updates and the disabling of the entire antimalware solution. Note: There's no change in the way third-party antivirus solutions are registered with the Windows Security app. 

 

For Windows home users, the feature will be On by default when Windows is installed. If you are upgrading and Cloud-delivered protection is enabled, then the tampering protection feature will also be turned On.

 

For enterprise E5 customers (such as those with a Microsoft Defender ATP license), this feature will be opt-in and can only be managed from the Intune management console. Local device admin users will not be able to change the setting. This ensures that even malicious apps – or malicious actors – can’t locally override the setting. Note that enterprise management is not available in current preview versions of Windows 10, but we’ll be bringing it to preview shortly.

 

windows-security-tamper-protection-enterprise.png

 

Now in limited preview

 

We’re continuing to work on this feature, and you can test it out now on any recent Windows Insider build released during March 2019 or later. If you’d like to test this feature, please send us feedback via the Feedback Hub, or email us at wdcustomer@microsoft.com.

 

We’d love to have you on the journey so we can use your feedback and insights to deliver strong protection across platforms.

 

Not yet reaping the benefits of Microsoft Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.

 


Iaan D’Souza-Wiltshire (@iaanMSFT) & Shweta Jha (@shwetajha_MS)
Microsoft Defender ATP


 

Contributor

Are you aware that having this feature on breaks your own "Turn off Windows Defender Antivirus" policy?  "Breaks" as in has no effect unless Tamper Protection is off?  I'm thinking that shouldn't be by design, if it is. 

Microsoft

Hi Brian - Would you please be able to provide more details about your scenario and which MS policy you are talking about?

Contributor

Not too much more, since that is its exact name. It's located in Computer Configuration/Administrative Templates/Windows Components/Windows Defender Antivirus.

 

The scenario is anyone who wants to use the above policy will be blindsided by the fact that it no longer works without a) knowing about Tamper Protection, and b) disabling it. The description for the policy I mentioned, at the very least, should be updated to reflect this new reality. Unless it's a bug, in which case it should be fixed.

Microsoft

Thanks for pointing this out Brian. We will get GP policy description updates. Please note that disableantispyware is not supported way to turn defender off. See the documentation here : https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-window....

 

We have KB article having this note added as well : https://support.microsoft.com/en-us/help/4490103/windows-10-prevent-changes-to-security-settings-wit...

Occasional Contributor

You're pointing to autounattend.xml parameters docs and claiming that the group policy is not supported. Please get your story straight.

 

And btw, where's the tamper protection documentation? 

You probably have your own group policy for tamper protection. Then you should document it.

 

Are there any other group policies that aren't compatible? Document it. We should not be finding this out by trial and error...

 

The MSKB article is pathetic. And while I'm on it, you should provide the full (official) group policy name instead of some "key".

Contributor

Right, that unattended setting, which I didn't know existed, isn't what I was talking about.

Microsoft

Yes Brian, underneath its the same GP policy.

Contributor

OK, but the article saying it's not "supported" doesn't really track, does it?  Because it's an official group policy, and there's no hint that it's not supported.

 

If that's not a supported method, what is?!

Microsoft

The question is why do you want to turn off windows defender? I would like to udnerstand your usecase. Windows Defender  comes with OS and it remains on, unless any other 3P AV is registered with Windows Security App. Once the other AV is registered with WSC, windows defender AV automatically goes into disable mode, and this is the only supported way to disable defender. Happy to schedule sometime and talk. Let me know. 

Occasional Contributor

No, the question is why a major security feature is being released without proper documentation, including its impact on other features such as Group Policies. 

 

As for your statement that disabling WD [via the Group Policy] is not supported, I'd like to see a clear and relevant documentation (not the one on the answer file settings) as well as a conclusive statement in the Group Policy which currently supports at least Vista. (And yes, I see the recommendation at the bottom of the GP description).

 

wd.png

 

Let's schedule a talk about this! 

 

 

Contributor

Very much agreed, on the last post.

 

But to answer Shweta's question, I like to disable it in test VMs, since they're already slow enough. This makes them more usable. Having AV in such an environment is completely N/A.

Microsoft

Hi Vadim, as I said before, we will get GP description updated. Please note that feature is still in the preview and official document is yet to come. 

 

Brian - Defender is doign what it is supposed to do, in case you are certain about the environment and do not want any RTP overhead, you can use exclusions : https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/confi...

 

Occasional Contributor
Shweta, there's no harm in publishing a documentation preview when you release a feature preview. GA is the end of May, your feature set is ready. Please send a comment when you publush your docs so we can see how serious you're.
Contributor

Shweta, excluding everything a) isn't possible and b) is counterproductive. I'll just continue to disable it.

 

Can you give us a preview of what the updated GP description is going to say?  Is it that it has a dependency on Tamper protection (which, btw, should have its own policy--why doesn't it?), or what, that we're only supposed to look at it longingly but not use it because it might be deprecated?

 

I don't think you've outright confirmed that it's intended to have said dependency. You've been a little cryptic.

New Contributor

Will tamper protection also prevent installation of third party AV's?

(As we have a group of dev machines that require local admin, and I'd still like to prevent them from installing other AV's or at least not disable Defender when they are installed)

Occasional Contributor

Disappointed overall, I mean this Defender ATP in general seemed so enterprise grade but when you really start trailing it the limited support for various OS's, etc., is just too much, outside of Windows 10 almost everything has an exception.  Additionally it doesn't seem Device Threat Status even works in Intune without having your device both MDM Managed and Azure AD Domain Joined, MDM Managed with Azure AD Registered and the status never changes from deactivated.  This seems strange as I would think many would want to use this as part of managing security on BYOD devices as well, it almost forces you to get a package from a 3rd party to address the all up concern, most of us don't need another console, I wanted to love this solution but it feels a year or two away from being ready.  I will note that the device threat level detection works fine in the defender security center but losing the ability to control access via MCAS is unfortunate.  Are there plans to enable this without AZ AD Join required?  Any updates on the tamper protection, I was wondering why the setting was disabled with no way to manage it in Intune or locally.   

Occasional Contributor

When and how will tamper protection be available in windows 10 business?

 

i have PCs running 1903 but tamper protection not showing in virus settings page

 

i have seen registry key values of 0 to disable and 5 to enable.

 

the tamper key on my customer’s systems is set to 2

 

more interesting is that attempts to change the value to 0 or 5 are blocked

 

this leads me to thinking it is actually enabled but with no guidance on how to enable disable or config

 

 

Occasional Visitor

We have 1903 with 1903 GPO templates but I can't enable Tamper protection through GPO for all machines.

 

Users are constantly asking question about that !!!! mark on the defender logo.

 

Why isn't this integrated in the GPO templates?!

Microsoft

@Sentry23 there is not change in the way 3rd party AV registers with windows security app.

See below documentation for more details - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/preve...

 

Microsoft

@stadmin GPO can be altered by local admin on the device and easy to tampered with. If you are home user you can turn feature on/off from windows security app. If you are MDATP E5 customer,  Tamper protection setting on/off is managed from Intune, a secure payload issued by defender cloud for the organization to turn the feature on/off  (note: MDATP E5 version is yet to be GA).

Occasional Contributor

The documentation is a copy-paste of this blog post. You're being asked where the GP for the new feature is, but you don't say you don't have it. Can't you give a clear a precise answer: yes, this is the <policy name> or no, we don't have it.

 

Are you seriously saying you don't have GPO because the local admin can alter it? But then local admin can disable your new feature and change anything.

Microsoft

@enspireditaa  - is your device managed or non managed? value 2 means the feature is not supported on the device. 

 

Request you to please log a bug using feedback hub ,https://support.microsoft.com/en-us/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback...

Request you to please also add support cab

From admin cmd.exe run below command and copy cab file generated.

File path will be shown at the end of output of getfiles command

C:\Program Files\Windows Defender\MpCmdRun.exe -GetFiles

Microsoft

@Vadim Sterkin _ Tamper protection feature is a secure setting and does not have GP, you can't really manage the feature using GP. If you are home user, you can turn the feature on/off from Windows Security App. For Microsoft Defender ATP  enterprise customers feature can be managed from Intune only (currently in preview).

 

 

Occasional Contributor
Oh, finally. This should be in the documentation!
Microsoft
@Jerod Powell if you are MDATP E5 customers, feature management from Intune is currently available in private preview mode .
Let  me know if you would like to try the feautre out and provide feedback. Your feedback is important to us and will help in shaping up the feature. 
Occasional Contributor

When will this be supported for managed devices in Microsoft 365 business?

 

How can I keep my customers safe from trickbot's disabling of defender in the meantime?

Occasional Contributor

@Shweta Jha I'd be happy to try out the Intune private preview if Jerod isn't :smile:. We're MDATP E5.

Microsoft

@enspireditaa - Defender is able to detect and remediate trickbot's if your device has/had latest security intelligence update and/or has cloud protection feature turned on.

 

 

Microsoft

@Vadim Sterkin  - thanks for your feedback, we have documentation updated (See FAQ section). 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/preve...

Occasional Contributor

@Shweta Jhathanks much - could you please elaborate on what protection is provided by cloud protection compared to tamper protection?

Also, any plans to add some or all of Defender ATP to 365 Business?