Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Tamper protection in Microsoft Defender ATP

Eric Avena's avatar
Eric Avena
Icon for Microsoft rankMicrosoft
Mar 27, 2019
Update (October 14, 2019): Tamper protection is now generally available for Microsoft Defender ATP customers and enabled by default for home users   We are committed to making our solutions resis...
Updated Sep 25, 2020
Version 10.0
Tamper Protection
zik91's avatar
zik91
Copper Contributor
Nov 14, 2019

So, if you want to ENABLE Tamper Protection with GPO, you must create STARTUP SCRIPT 

Click ADD , then on Script Name write powershell.exe . On Script Parameters field write following script:

start-sleep -s 20 ; if ((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features').tamperprotection -ne 5 ) {Set-MpPreference -DisableRealtimeMonitoring 1 ; start-sleep -s 2 ; REG ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Features' /v TamperProtection /t REG_DWORD /d 5 /f ; start-sleep -s 2 ; Set-MpPreference -DisableRealtimeMonitoring 0}

The code must be on one line !

Click OK to save. Link this GPO to your Computers container and then run gpupdate in Powershell on Windows Server .
The value of register that controlling Tamper Protection must be 5 to be active. You can't change this value without system account. This script will check the value of the registry and if the value is not 5 - the script will change it to 5. The changes will be applied on client computers after two restarts. First is for changing the registry value to 5 . Second restart is for applying changes in Windows Defender. In two words - link this GPO to target machine. You may run gpupdate on target machines or force the GPO, because otherwise the restarts may be 3 times.
If you want to disable Windows Tamper Protection with this method, you must change value to 0 or other different than 5

start-sleep -s 20 ; if ((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features').tamperprotection -ne 0 ) {Set-MpPreference -DisableRealtimeMonitoring 1 ; start-sleep -s 2 ; REG ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Features' /v TamperProtection /t REG_DWORD /d 0 /f ; start-sleep -s 2 ; Set-MpPreference -DisableRealtimeMonitoring 0}

The start-sleep in the begin is to wait for the system to start Windows Defender. You can use this script in Powershell, but you must run Powershell with NT\System account (eg. with PSexec -> psexec.exe -s -i powershell.exe) . In this case the script can be entered without start-sleep in the begin 🙂 
This is tested on about 180 computers in company and working. The problem with turned off Tamper Protection still exits after upgrade to Windows 10 version 1909! . Sorry for my bad English and have a nice day!