Introducing tamper protection for exclusions
One of the most requested features for tamper protection is protection of antivirus exclusions. With that in mind, the Microsoft Defender team has implemented new functionality that allows (path, process, and extension) to be protected when deployed with Intune.
Intune disables Tamper Protection by default
We noticed a strange quirk about Intune and have repeatedly tested it across multiple tenants with freshly reinstalled workstations running Windows 10. Normally, Intune much like AD should not apply policies unless given a policy to apply. But we noticed that by default Intune will always apply a policy to DISABLE Tamper Protection by group policy when devices are enrolled unless you specifically make a configuration profile or otherwise to tell Intune to enable Tamper Protection on end devices. This seems like a strange behavior, and is not documented anywhere in the Microsoft Learn website. Also, if you run the Powershell command Get-MpComputerStatus you will see that TamperProtectionSource now gets listed as "Signatures" with no explanation. Again, there is no documentation about this type in Microsoft Learn or any other public KBs. The KBs only had information about other states such as UI, Transition, etc. Is there a way to request Microsoft to provide documentation to fill in these important gaps in their knowledge base?Tamper Protection managed by administrator and OFF - cannot be enabled manually when joined on-prem
Hi all, We are currently only managing Microsoft Defender ATP via Group Policy and there is no GPO for tamper protection. But we cannot enable it manually either-. "This setting is managed by your administrator" and set tamper protection to OFF. When deploying a new Windows 10 I can enable it manually. When joining the computer to on-prem AD and GPO for Windows Defender ATP hits, temper protection is turned off and you cannot change it. Is this by design or is there a GPO setting interfering? Thanks!Tamper protection will be turned on for all enterprise customers
Starting last year, to better protect our customers from ransomware attacks we turned on tamper protection by default for all new customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses. To further protect our customers, we are announcing that tamper protection will be turned on for all existing customers, unless it has been explicitly turned off in the Microsoft 365 Defender portal. For customers who haven’t already configured tamper protection, they’ll soon receive a notification stating that it will be turned on in 30 days. For example, public preview customers receive a notification on September 21, 2022 indicating that tamper protection will be turned on 30 days later, on October 24, 2022.Enable tamper protection in Threat & Vulnerability Management to increase your security posture
Now, within the security recommendations section of Threat & Vulnerability Management (TVM), SecOps and security administrators can see a recommendation to turn on tamper protection and then be able to learn more about the recommendation and act on it.
