Tamper protection will be turned on for all enterprise customers

JoshBregman · ‎Sep 20 2022

Tamper protection in Microsoft Defender for Endpoint protects your organization from unwanted changes to your security settings. Tamper protection helps prevent unauthorized users and malicious actors from turning off threat protection features, such as antivirus protection. Tamper protection also includes the detection of, and response to, tampering attempts.

Starting last year, to better protect our customers from ransomware attacks we turned on tamper protection by default for all new customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses. To further protect our customers, we are announcing that tamper protection will be turned on for all existing customers, unless it has been explicitly turned off in the Microsoft 365 Defender portal. For customers who haven’t already configured tamper protection, they’ll soon receive a notification stating that it will be turned on in 30 days. For example, public preview customers receive a notification on September 21, 2022 indicating that tamper protection will be turned on 30 days later, on October 24, 2022.

The following screenshot shows what the notification looks like:

Why should tamper protection be turned on?

Human operated ransomware is one of the biggest cybersecurity challenges facing customers today. Post-mortems of ransomware attacks have revealed two things:

Attackers are using a common set of tactics, techniques, and procedures (TTPs)
Defender for Endpoint could have helped more in preventing the attack if the controls that address those TTPs were configured.

We recommend that you turn tamper protection on and keep it enabled across your organization.

How to opt out

If you prefer that tamper protection not be turned on automatically for your tenant, you can explicitly opt out as follows:

Go to security.microsoft.com and sign in.
Go to Settings > Endpoints > Advanced features
Turn tamper protection on by selecting its toggle.
Select Save preferences
Turn tamper protection off by selecting its toggle.
Select Save preferences.

By explicitly turning tamper protection off, your intent to keep tamper protection turned off will be registered for your tenant. For more information see Protect security settings with tamper protection | Microsoft Docs.

How to disable tamper protection

If you encounter issues with devices, you can use troubleshooting mode to temporarily disable tamper protection: Get started with troubleshooting mode in Microsoft Defender for Endpoint | Microsoft Docs
If you are concerned about application compatibility with tamper protection, you can specify a subset of devices to disable tamper protection.

If you manage a device with	You disable tamper protection by
Intune (Microsoft Endpoint Manager)	Creating a Windows Security experience profile in Microsoft Endpoint Manager
Configuration Manager, version 2006 using tenant attach	Creating an endpoint security policy
Microsoft 365 Defender portal or 3rd party MDM	Using Security Management for Defender for Endpoint Note: Tamper protection is included in the Windows Security Experience, located within the Virus & threat protection settings section.

Learn more

Built-in protection helps guard against ransomware | Microsoft Docs

Tamper Protection

Defender for Endpoint security configuration management

Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint | ...

AnuragSrivastava · ‎Sep 20 2022

@JoshBregman - We wanted to enable Tamper Protection for Windows Servers (2016, 2019, 2022) with Intune as we need to manage exceptions for some of the servers whenever needed.

I saw an article where it was mentioned that You can exclude devices from tamper protection by creating a profile in Microsoft Endpoint Manager and by using Security Management for Defender for Endpoint.

But as per the screenshot below, Windows Security Experience Policy is currently not supported under MDE Security Configuration.

Is this already under work as this will be really helpful if we can have this option enabled in near future.

Thanks!

JoshBregman · ‎Sep 20 2022

@AnuragSrivastava Sorry for the confusion - Security Management for Microsoft Defender is "for devices that aren't managed by a Microsoft Endpoint Manager to receive security configurations for Microsoft Defender directly from Endpoint Manager."

If the device is managed using Microsoft Endpoint Manager then you can control tamper protection today.

Also, if you just need to turn off tamper protection occassionally to troubleshhot an issue, then you can just use Troubleshooting Mode

Let me know if this answers your question,

JB

AnuragSrivastava · ‎Sep 20 2022

@JoshBregman I'm bit confused here.

To give you the context, we have Windows Servers (2016, 2019, 2022) which aren't managed by Microsoft Endpoint Manager. And we want these servers to get the tamper protection settings from MEM (Intune) so that we can manage the exclusions from the MEM (Intune) portal in a better manner.

Now we have added the "MDE-Management" tag to some of our test servers and these servers do show in the Intune Portal.

So I wanted to check if I create the tamper protection policy under Windows Security Experience Profile and assign the policy to the group of test servers, will these servers get Tamper Protection on them.

Hope this is clear, thanks!

Matt_Call · ‎Sep 21 2022

Hey @AnuragSrivastava -

The Tamper Protection handler for our Security Management with Microsoft Defender for Endpoint is currently in private preview. You can expect it to be released shortly. In the meantime, you have the following options for managing Tamper Protection -

Using Microsoft Intune through the Windows Security Experience Profile
Using Microsoft Endpoint Configuration Manager through the corresponding Windows Security Experience Profile
Using the global MDE toggle mentioned by @JoshBregman above.

Feel free to reach out with any other questions -

MC

AnuragSrivastava · ‎Sep 22 2022

@Matt_Call - Thanks Matt, will look forward for tamper protection enablement with Security Management.

Christopher__ · ‎Sep 29 2022

Does tamper protection block changes coming from ConfigManager/SCCM, Intune, etc.? In my testing it appears that way. I'm currently enforcing tamper protection tenant wide in the security portal (security.microsoft.com). Does this mean if I want to change a defender setting on my systems I have to globally disable tamper protection every time before making the change?

AnuragSrivastava · ‎Sep 29 2022

Hi @Christopher__ - No not necessarily. There is a feature called Troubleshooting Mode which you can enable for a particular device where you want to disable tamper protection for some time.

The troubleshooting mode can be enabled from Defender Portal - security.microsoft.com.

You can find more details related to Troubleshooting Mode here - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-troubleshooting-mo...

JoshBregman · ‎Sep 29 2022

@Christopher__ Tamper protection does not block all changes. It only prevents changes to important security settings.

Protect security settings with tamper protection | Microsoft Learn

As @AnuragSrivastava mentioned, if you need to temporarily make changes to those settings, for example to troubleshoot an issue, there is troubleshooting mode.

Any changes to those settings, including tamper protection itself, will be reverted at the end of the troubleshooting mode session.

cashcow2022 · ‎Feb 14 2023

Hi,

It seems that Tamper Protection by Defender 365 Portal causes some issues with MDE Security Configuration - e.g. some events in Event Viewer that tamper protection blocks settings and therefore not being applied / running on error.

We can not control Windows Security Experience on such MDE-Managed devices like it's described in this blog post.

We already have an open ticket regarding this - but does anyone have news/updates for @AnuragSrivastava 's issue - when will the feature be released?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs