Tamper Protection Disabled - This settings is managed by your administrator

Copper Contributor

After changing Antivirus (SentinelOne has been uninstalled) to using only Microsoft Defender with Huntress half of my devices have tamper protection disabled.  I cannot enable it via the Security app due to "This settings is managed by your administrator".  The regkey TamperProtection has a value of 0 which I am not able to change due to access rights error.  I cannot take owership of the same key, I get the same access denied error.  There is no other AV on the devices.  I have reset\repaired the Secuity app with zero luck.  I do not have Intune or SCCM, I have Endpoint Manager.  How do I enable Tamper Protection on these devices?

15 Replies
If it is still showing administratively managed then there must be a policy enforced to manage it. How are you managing the devices?
There is no policy managing it. I use Endpoint Central
That doesn’t sound right to me. By the look of things you clearly have some sort of security policies applied. Have you tried running rsop to capture the report on enforced policies?
Yes. There is no policy. All of defender is fine except for tamper protection. This is happening on half my devices, all getting the same policies.
This has got me intrigued. So the rsop is showing not configured against all Defender settings?
We have a 365 Tenant, but we are not using Intune, Defender Portal. All my users are Office E3. We use Office\Sharepoint\Onedrive for the most part.
I have got some more questions -
1.The devices where Tamper protection is enabled, are they also showing as administratively managed?
2. What is different between these devices?
3. Is sentinelone removed all the way on devices in question?
4. Are there any sentinelone policies that may still be applicable on the devices in question?

If you have already checked for all the above already, then I guess opening a support case with Sentinelone and\or Microsoft will be the next logical step.
Devices with TP enabled do NOT show the administratively managed.
Devices vary Win 10 (22h2)-11. I am still trying to figure out this. Nothing is different that i have found thus far other than the regkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features tamperprotection. Devices that have the message have a value of 0, where TP is good the value is 5

There are no SentinelOne policies in place. SentenelOne does not showup in REG.
Quite a pickle. Any way for you to push down a script to modify the registry to enable TP?
I have and it does not work, using Endpoint Central, runs a system. I have tired advancedRun to see if running as system user or trusedinstaller which also does not work. I have tried to take ownership of tamper protection HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features, access denied, I have tried taken ownship of tamper protection HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender, same err access denied, all as administrator
I haven’t tried this, but you can use a third party utility like setacl to give full control to administrators or the account you want to run your script under to modify the registry. This may be of some help - https://rahuljindalmyit.blogspot.com/2021/08/fixing-dma-requirement-for-silent-and.html
Thanks, I will give that a try
Hello Somedude1020
can you also try to take one client and try to offboard and onboard again?