Make sure Tamper Protection is turned on

Microsoft

Aug 28, 2021

Tamper protection in Microsoft Defender for Endpoint (MDE) helps protect organizations like yours from unwanted changes to your security settings by unauthorized users. Tamper protection prevents malicious actors from turning off threat protection features, such as antivirus protection, and includes detection of, and response to tampering attempts. Tamper protection is available to customers ranging from consumers to enterprise organizations. If you haven’t already done so, turn on tamper protection now to help prevent attackers from disabling your antivirus and antimalware protection.

Why tamper protection is so important

Turning off anti-tampering measures, such as tamper protection, is often the first step in a ransomware, supply chain, or other Advanced Persistent Threat (APT) attack. (See our example later in this article.) By hardening against tampering, you can help prevent breaches from the outset. Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and other methods, such as registry key modifications, PowerShell cmdlets, Group Policy, and so on. Having tamper protection on is one of the most critical tools in your fight against ransomware.

Note: Because tamper protection is so critical in helping to protect against ransomware, we have taken the approach to enable it as on by default for all new Microsoft Defender for Endpoint tenants for some time now.

What to expect when tamper protection is enabled

In a digital estate where tamper protection is enabled, malicious apps, users, or admins are prevented from taking unauthorized or unintentional actions such as:

Disabling virus and threat protection
Disabling real-time protection
Turning off behavior monitoring
Disabling antivirus (such as IOfficeAntivirus (IOAV))
Disabling cloud-delivered protection
Removing security intelligence updates
Change threat severity actions (config name: ThreatSeverityDefaultAction)
Disable script scanning (config name: DisableScriptScanning)

Note: Tamper protection does not break your Group Policy Objects or Mobile Device Management configurations and scripts that are deployed through your security management solutions. Also, any unauthorized tampering (intentional or unintentional) with the reg key will be ignored by Defender for Endpoint.

Methods to manage tamper protection

Depending on your subscription and endpoint operating systems, you can choose from several methods to manage tamper protection. The following table lists the default state for different environments and ways to configure tamper protection in your organization.

Environment 

Tamper protection state

Methods to manage tamper protection

Microsoft 365 E5/ Education A5 - New Tenants

On by default  

- Microsoft Endpoint Manager: Intune for Windows 10 devices onboarded to Microsoft Defender for Endpoint (Defender for Endpoint)

- Microsoft Endpoint Manager: Configuration Manager Tenant attach for Windows Server 2016 & 2019 and Windows 10

- Microsoft 365 Defender portal (security.microsoft.com): under advanced feature settings for endpoints (global setting)

Microsoft 365 E5/ Education A5 - Existing Tenants

Off by default, but customers can opt-in

An example of tamper protection in action

As mentioned in the recent blog, Hunting down LemonDuck and LemonCat attacks, tamper protection helps prevent robust malware like LemonDuck from automatically disabling Microsoft Defender for Endpoint real-time monitoring and protection. The following diagram outlines the LemonDuck attack chain. Notice that in the Evasion phase, antimalware protection is disabled.

Unchecked, malware like LemonDuck can take actions that could, in effect, disable protection capabilities in Microsoft Defender for Endpoint. Disabling your threat protection frees the attacker to perform other actions, such as exfiltrating credentials and spreading to other devices. Tamper protection is designed to help safeguard people and organizations from such actions.

Next steps

Make sure tamper protection is turned on.

If you’re part of your organization’s security team, turn on tamper protection for your organization. See Protect security settings with tamper protection.
If tamper protection is turned on for some, but not all endpoints, consider turning it on tenant wide. You can do this using the Microsoft 365 Defender portal. See Manage tamper protection for your organization.

Let us know what you think! Post a comment and give us your feedback!

Updated Aug 30, 2021

Version 3.0

OludeleOgunrinde

Microsoft

Joined January 06, 2021

View Profile

Microsoft Defender for Endpoint Blog

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Microsoft Privacy Statement

PhilMicrosoft
Microsoft
Aug 31, 2021
Hi Jose Camacaro Latouche

As per documentation, MEM/Intune takes precedence:

"If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft 365 Defender portal."

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide#manage-tamper-protection-for-your-organization-using-the-microsoft-365-defender-portal

Great question!
McAkins
Copper Contributor
Aug 30, 2021
Hi Dele,
How come you only mention activating for Enterprise and M365 in this post and not Consumer. You stated at the beginning of the post, the feature is available to Consumers too. Is it ON by default for Consumers or not? How do we activate as consumers?
McAkins
Copper Contributor
Aug 30, 2021
Found the link for protecting Consumer devices:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide#manage-tamper-protection-on-an-individual-device
OludeleOgunrinde
Microsoft
Aug 30, 2021
Hello McAkins,

Thanks for your insightful comment, and for your valid concern on the deliberate exclusion of Consumer devices in the table. While the goal of the blog is to reiterate the importance of TP for enterprise customers, it is good to be aligned and reemphasized your point of view. Hence, TP is on-by-default for Consumer devices (new devices), and it could be activated (Consumer devices with TP = off) by following the steps in the link above.
McAkins
Copper Contributor
Aug 30, 2021
Thanks, I've confirmed it is ON by default on my devices. Awesome.
Dheerajbudhori
Copper Contributor
Aug 29, 2021
Helpful
Jose Camacaro Latouche
Brass Contributor
Aug 30, 2021
Great article, OludeleOgunrinde . Thank you.

Hypothetical scenario:
If a device is configured to have Tamper Protection ON from Microsoft 365 Defender Portal (global setting), but it is also configured to have Tamper Protection OFF (Disabled) from a Configuration Profile from Intune, what is the outcome? Which configuration wins?
Jose Camacaro Latouche
Brass Contributor
Sep 01, 2021
PhilMicrosoft thanks! would it be the same if the tamper protection settings are configured via GPO or SCCM?
Security2021
Copper Contributor
Sep 02, 2021
Just make sure if your using SCCM and disable local admin merge you use the latest version of SCCM. Otherwise when you enable tamper protection you can no longer manage exclusions.

Blog Post