cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcing a global switch for tamper protection
By
Shweta Jha
Published Mar 08 2021 09:46 AM 10.8K Views
Shweta Jha
Microsoft
‎Mar 08 2021 09:46 AM

Announcing a global switch for tamper protection

‎Mar 08 2021 09:46 AM

Advanced breaches like human-operated ransomware campaigns and NOBELIUM continue to pose significant risks to businesses. Most of these breaches involve tampering with security solutions and settings. To defend against these types of breaches, it's clear that tamper protection in Microsoft Defender for Endpoint should be turned on for all devices. Tamper protection helps prevent bad actors from disabling security features, such as antivirus protection, on your devices.

 

Last year, we announced support for tamper protection on Configuration Manager managed devices (using tenant attach). Now, we are excited to announce that you can use the Microsoft Defender Security Center or Microsoft 365 security center to manage tamper protection for your organization. The update helps ensure that all devices onboarded to Microsoft Defender for Endpoint have tamper protection turned on, and is applicable for both active- and passive-mode devices.

 

MicrosoftTeams-image (6).png

 

 

TIP: If you are managing devices in a hybrid environment, or you need more granular control than a tenant-wide setting, continue using Intune or Configuration Manager. We recommend keeping tamper protection turned on, tenant wide. To do that, you can use the Microsoft Defender Security Center or the Microsoft 365 security center, our unified secops experience

 

You shouldn’t need to exclude devices from tamper protection; however, if your organization wants to exclude devices, use the Microsoft Endpoint Manager admin center. To learn more, see Exclude groups from a profile assignment.

 

Currently, the option to manage tamper protection in the security centers is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis, with plans to make this the default method in near future.

 

To learn more, see our documentation about how to Manage tamper protection using the security center. These instructions apply to both the Microsoft Defender Security Center and the Microsoft 365 security center. 

 

There’s more to come!

 

Additional resources:

Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you’re not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today.

 

 

Microsoft Defender for Endpoint team

 
 
 
 
 
 
10 Comments
rockypabillore
Brass Contributor
‎Mar 08 2021 11:51 AM
‎Mar 08 2021 11:51 AM

Anyone know if this will cause any conflicts if we already have the tamper protection deployed as "endpoint protection profile"?

0 Likes
Like
Shweta Jha
Microsoft
‎Mar 09 2021 08:18 AM
‎Mar 09 2021 08:18 AM

@rockypabillore - no, there will not be any conflict, the policy deployed through MEM - endpoint protection profile will take precedence. 

Philost
Brass Contributor
‎Mar 10 2021 02:06 AM
‎Mar 10 2021 02:06 AM

Hi,


This is an excellent idea for orgs where getting Intune (even tenant attach) delivered is easier said than done (I know it’s technically simple).

 

Will this interfere with the ability to set or update Defender AV registry based settings (via GPO) like “Define proxy server for connecting to the network”? Would love to turn this on but worried about negative side effects.

0 Likes
Like
Shweta Jha
Microsoft
‎Mar 10 2021 10:06 AM
‎Mar 10 2021 10:06 AM

@Philost - you only need defender AV cloud protection to be on, the device needs to talk to cloud back-end to pull the setting, and I am assuming this should already be the case. I would love to understand in detail on what all negative side effects you are worries about and how best we can help answer those. And yes, thanks for your interest to turn it on, its needed. 

0 Likes
Like
JH_Wiltshire
Copper Contributor
‎Mar 11 2021 08:54 AM
‎Mar 11 2021 08:54 AM

I turned this on earlier today and within an hour had five 'tamper protection bypass' alerts reporting 'svchost.exe has turned off Windows Defender AV security feature DisableAntiSpyware'.  Any ideas how to dig into this and investigate further?

0 Likes
Like
Shweta Jha
Microsoft
‎Mar 11 2021 11:37 AM
‎Mar 11 2021 11:37 AM

@JH_Wiltshire : interesting, I would like to analyze this, svchost.exe change request should be ignored. Let me send you offline message to follow-up, Appreciate your feedback.

Philost
Brass Contributor
‎Mar 12 2021 12:29 AM
‎Mar 12 2021 12:29 AM

Hi @Shweta Jha!

 

Some scenarios I can think of:

Tamper Protection is turned on globally and then a change to Defender (AV) client configuration needs to pushed to devices via SCCM, for example to change proxy settings, to add or remove exclusions, to switch network protection to or from audit mode etc - these will fail right?

 

Keep up the good work, it’s great you introduced this switch, might just not work for our use case. 

 

 

0 Likes
Like
rockypabillore
Brass Contributor
‎Mar 18 2021 05:27 AM
‎Mar 18 2021 05:27 AM

@Shweta Jha  thank you for the info! added to my to do list this month :)

tnopchai
Copper Contributor
‎Jul 30 2022 07:05 AM
‎Jul 30 2022 07:05 AM

Interestingly , this temper protection Block attempt of   Defender AV Policy applied by MDE Management,  Same Microsoft Defender Antivirus policy.. show success in MDM managed device but show fail using MDE Managed device. 

jaymcc510
Iron Contributor
‎Aug 01 2022 04:12 PM
‎Aug 01 2022 04:12 PM

great 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Mar 15 2021 11:25 PM
Updated by: