cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Enable tamper protection in Threat & Vulnerability Management to increase your security posture
By
Shweta Jha
Published Feb 19 2020 11:14 AM 22K Views
Shweta Jha
Microsoft
‎Feb 19 2020 11:14 AM

Enable tamper protection in Threat & Vulnerability Management to increase your security posture

‎Feb 19 2020 11:14 AM

We are happy to announce that tamper protection is now supported in Microsoft Defender ATP Threat & Vulnerability Management to help raise your organization’s security posture.  

 

Now, within the security recommendations section of Threat & Vulnerability Management, SecOps and security administrators can see a recommendation to turn on tamper protection and then be able to learn more about the recommendation and act on it. This provides security teams greater visibility into how many machines don’t have this feature turned on, the ability to monitor changes over time, and a process to turn on the feature.

 

Tamper protection keeps threat actors from disabling the very security protection features that work to stop them from entering your unsuspecting network.

 

Shields up on malicious and unauthorized security changes

 

To see tamper protection status from within TVM, go to the security recommendations page and search for tamper, as shown in the following image:

 

TVM.png

 

In the list of results, you can select Turn on Tamper Protection. It opens up a flyout screen so you can learn more about it and turn it on. You can see export option from the flyout screen to get the exposed device list.

 

Flyover.png

 

Availability in previous Windows 10 versions

 

Tamper protection is now also available in earlier versions of Windows 10.

 

We understand each organization’s environment is unique, with different needs, requirements, and therefore different timelines for planning, testing, and deploying Windows updates. We also know that our customers want to have the latest security features on the versions of Windows that are currently in their organizations. We listened to this customer feedback and are excited to be backporting this latest feature.

 

You can continue to enable tamper protection from Microsoft Intune based on user or device groups. Go to Microsoft Endpoint Manager > Device Configuration – Profiles > Create profile > Endpoint protection and configure tamper protection as shown in the following image:

 

Intune.png

 

Once tamper protection is enabled by administrators, customers with Windows versions 1709, 1803, 1809 and 1903 can use PowerShell to confirm tamper protection is turned on:

  1. Open the Windows PowerShell app in administrator mode
  2. Use the Get-MpComputerStatus PowerShell cmdlet.
  3. In the list of results, look for IsTamperProtected. (A value of true means tamper protection is enabled.)

Those customers with Windows 10 version 1903 can also see that protection is turned on in the Windows Security app:

 

LocalUX.png

 

Let us know what you think

 

Turn tamper protection on in your environment and give us your feedback. You can use Threat & Vulnerability Management to get the latest security recommendations and insights. Stay tuned! More exciting enhancements are coming up.

 

Learn more

 

Protect security settings with tamper protection.

 

Want to experience Microsoft Defender ATP? Sign up for a free trial. Microsoft Defender ATP is part of the Microsoft Threat Protection solutions which provides unified protection for identities, endpoints, email and data, apps, and infrastructure. Through signal sharing across Microsoft services, customers can count on Microsoft’s industry-leading optics and security technologies for combating today’s threats.

 

Shweta Jha (@shwetajha_MS)
Microsoft Defender ATP team

6 Comments
Björn Lagerwall
Brass Contributor
‎Feb 19 2020 01:55 PM
‎Feb 19 2020 01:55 PM

What is the reason behind GPO not being supported to control tampering?

0 Likes
Like
Shweta Jha
Microsoft
‎Feb 20 2020 09:59 PM
‎Feb 20 2020 09:59 PM

@Björn Lagerwall - we would not expose GPO or any settings that can be used to alter Tamper Protection on device by admin or apps or malware  having admin privilege. With that said if you use GPO to manage your device through ConfigMgr, we are planning to support such devices from MEM (Microsoft Endpoint Manager). Stay tuned for our next update... :smile:.

rockypabillore
Brass Contributor
‎Feb 21 2020 08:38 AM
‎Feb 21 2020 08:38 AM

This is only available for 1903 and up? :( we have 1809s mostly right now..

0 Likes
Like
Kasia Kaplinska
Microsoft
‎Feb 24 2020 05:50 PM
‎Feb 24 2020 05:50 PM

@rockypabillore  - this is available for Windows versions 1709, 1803, 1809 and 1903

erpmanila3w
Brass Contributor
‎Feb 28 2020 01:23 PM
‎Feb 28 2020 01:23 PM

what about for older Windows 10 versions like 1703 & 1607 & maybe LTSB 2016, Kasia?

Ivan Webb
Brass Contributor
‎Oct 07 2020 02:37 PM
‎Oct 07 2020 02:37 PM

Given that Microsoft locally refers to the "Endpoint protection" blade in device configuration as the "legacy security policy" in Intune, I'm curious as to why this setting was enabled there and not in the new "Endpoint Security" section?

We are seeing a real push from Microsoft 'encouraging' us to move all security and endpoint protection focused policies and configurations into Endpoint Security, So I'd be very interested in the reasoning that resulted in this 'new' setting to be located in this area.
I'd prefer not to have to go back and make a new Endpoint Protection policy for just one setting.
I looked at the CSP page for this value and the syntax hasn't been posted so I guess we don't have the option of setting it via a custom Intune policy at this time either.

0 Likes
Like
Version history
Last update:
‎Sep 28 2020 09:54 AM
Updated by: