Tamper protection in Microsoft Defender ATP

Published Mar 27 2019 11:30 AM 39.1K Views
Microsoft

Update (October 14, 2019): Tamper protection is now generally available for Microsoft Defender ATP customers and enabled by default for home users

 

We are committed to making our solutions resistant to attacks and continuously working towards raising the bar in security. In this blog we’re covering the tamper protection feature in our antimalware solution. This feature builds on our previously announced Windows Defender Antivirus sandboxing capability and expands existing tamper protection strategies across Microsoft Defender Advanced Threat Protection.

 

Tamper protection is a new setting available in the Windows Security app which provides additional protections against changes to key security features, including limiting changes that are not made directly through the app.

 

If you are a home user, you can toggle the setting from the Virus & threat protection settings area in the app. For enterprise environments, the setting can be managed centrally through the Intune management portal.

 

We’re continuing to work on the feature, but the current version of the setting is available to Windows Insiders today. The full functionality of the feature (including support for enterprise-level management) will be released along with the upcoming release of Windows 10.

 

windows-security-tamper-protection.jpg

 

Enabling this feature prevents others (including malicious apps) from changing important protection features such as:

 

  • Real-time protection, which is the core antimalware scanning feature of Microsoft Defender ATP next gen protection and should rarely, if ever, be disabled
  • Cloud-delivered protection, which uses our cloud-based detection and prevention services to block never-before seen malware within seconds
  • IOAV, which handles the detection of suspicious files from the Internet
  • Behavior monitoring, which works with real-time protection to analyze and determine if active processes are behaving in a suspicious or malicious way and blocks them

 

The feature also prevents the deletion of security intelligence updates and the disabling of the entire antimalware solution. Note: There's no change in the way third-party antivirus solutions are registered with the Windows Security app. 

 

For Windows home users, the feature will be On by default when Windows is installed. If you are upgrading and Cloud-delivered protection is enabled, then the tampering protection feature will also be turned On.

 

For enterprise E5 customers (such as those with a Microsoft Defender ATP license), this feature will be opt-in and can only be managed from the Intune management console. Local device admin users will not be able to change the setting. This ensures that even malicious apps – or malicious actors – can’t locally override the setting. Note that enterprise management is currently in preview.

 

windows-security-tamper-protection-enterprise.png

 

We’re continuing to work on this feature, and you can test it out now on any recent Windows Insider build released during March 2019 or later. If you’d like to test this feature, please send us feedback via the Feedback Hub, or email us at wdcustomer@microsoft.com.

 

We’d love to have you on the journey so we can use your feedback and insights to deliver strong protection across platforms.

 

Not yet reaping the benefits of Microsoft Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.

 


Iaan D’Souza-Wiltshire (@iaanMSFT) & Shweta Jha (@shwetajha_MS)
Microsoft Defender ATP

51 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-401293%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401293%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20enterprise%20management%20really%20only%20be%20limited%20to%20Intune%20MDM%2C%20or%20will%20it%20be%20configurable%20from%20SCCM%20or%20Group%20Policy%20also%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391236%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391236%22%20slang%3D%22en-US%22%3E%3CP%3EI%20expect%20technical%20posts%20from%20the%20PG%2C%20but%20you've%20provided%20neither%20details%20on%20implementation%20nor%20any%20examples%20of%20real-world%20scenarios%20in%20which%20this%20protection%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EEnabling%20this%20feature%20prevents%20others%20(including%20malicious%20apps)%3C%2FEM%3E%3C%2FP%3E%3CP%3EWhat%20does%20%22others%22%20mean%3F%20If%20a%20script%20runs%20under%20my%20user%20account%20and%20disables%20Defender%20via%20the%20group%20policy%2C%20is%20this%20me%20or%20others%3F%20How%20do%20you%20differentiate%20me%20from%20others%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389789%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389789%22%20slang%3D%22en-US%22%3E%3CP%3EShould%20we%20already%20be%20able%20to%20enable%20this%20tamper%20protection%20within%20Intune%20in%20advance%20of%20the%20release%2C%20or%20is%20that%20forthcoming%3F%20I'm%20unable%20to%20find%20this%20setting%20in%20Intune.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-452026%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-452026%22%20slang%3D%22en-US%22%3E%3CP%3EIntune%20management%20is%20still%20under%20development%20and%20yet%20to%20come.%20Management%20for%20this%20feature%20will%20be%20limited%20to%20Intune%20(MDM%2FCSP)%20channel%20only%20to%20start%20with.%20%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F138800%22%20target%3D%22_blank%22%3E%40Eric%20Avena%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EWe%20are%20committed%20to%20making%20our%20solutions%20resistant%20to%20attacks%20and%20continuously%20working%20towards%20raising%20the%20bar%20in%20security.%20In%20this%20blog%20we%E2%80%99re%20covering%20the%20tamper%20protection%20feature%20in%20our%20antimalware%20solution.%20This%20feature%26nbsp%3Bbuilds%20on%20our%20previously%20announced%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2018%2F10%2F26%2Fwindows-defender-antivirus-can-now-run-in-a-sandbox%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Defender%20Antivirus%20sandboxing%20capability%3C%2FA%3E%20and%20expands%20existing%20tamper%20protection%20strategies%20across%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindowsforbusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20Advanced%20Threat%20Protection%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETamper%20protection%20is%20a%20new%20setting%20available%20in%20the%20Windows%20Security%20app%20which%20provides%20additional%20protections%20against%20changes%20to%20key%20security%20features%2C%20including%20limiting%20changes%20that%20are%20not%20made%20directly%20through%20the%20app.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20a%20home%20user%2C%20you%20can%20toggle%20the%20setting%20from%20the%20Virus%20%26amp%3B%20threat%20protection%20settings%20area%20in%20the%20app.%20For%20enterprise%20environments%2C%20the%20setting%20can%20be%20managed%20centrally%20through%20the%20Intune%20management%20portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20continuing%20to%20work%20on%20the%20feature%2C%20but%20the%20current%20version%20of%20the%20setting%20is%20available%20to%20Windows%20Insiders%20today.%20The%20full%20functionality%20of%20the%20feature%20(including%20support%20for%20enterprise-level%20management)%20will%20be%20released%20along%20with%20the%20upcoming%20release%20of%20Windows%2010.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20989px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100287iA445E1254049AE5C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22windows-security-tamper-protection.jpg%22%20title%3D%22windows-security-tamper-protection.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnabling%20this%20feature%20prevents%20others%20(including%20malicious%20apps)%20from%20changing%20important%20protection%20features%20such%20as%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EReal-time%20protection%2C%20which%20is%20the%20core%20antimalware%20scanning%20feature%20of%20Microsoft%20Defender%20ATP%20next%20gen%20protection%20and%20should%20rarely%2C%20if%20ever%2C%20be%20disabled%3C%2FLI%3E%0A%3CLI%3ECloud-delivered%20protection%2C%20which%20uses%20our%20cloud-based%20detection%20and%20prevention%20services%20to%20block%20never-before%20seen%20malware%20within%20seconds%3C%2FLI%3E%0A%3CLI%3EIOAV%2C%20which%20handles%20the%20detection%20of%20suspicious%20files%20from%20the%20Internet%3C%2FLI%3E%0A%3CLI%3EBehavior%20monitoring%2C%20which%20works%20with%20real-time%20protection%20to%20analyze%20and%20determine%20if%20active%20processes%20are%20behaving%20in%20a%20suspicious%20or%20malicious%20way%20and%20blocks%20them%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20feature%20also%20prevents%20the%20deletion%20of%20security%20intelligence%20updates%20and%20the%20disabling%20of%20the%20entire%20antimalware%20solution.%20Note%3A%20There's%20no%20change%20in%20the%20way%20third-party%20antivirus%20solutions%20are%20registered%20with%20the%20Windows%20Security%20app.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Windows%20home%20users%2C%20the%20feature%20will%20be%20On%20by%20default%20when%20Windows%20is%20installed.%20If%20you%20are%20upgrading%20and%20Cloud-delivered%20protection%20is%20enabled%2C%20then%20the%20tampering%20protection%20feature%20will%20also%20be%20turned%20On.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20enterprise%20E5%20customers%20(such%20as%20those%20with%20a%20Microsoft%20Defender%20ATP%20license)%2C%20this%20feature%20will%20be%20opt-in%20and%20can%20only%20be%20managed%20from%20the%20Intune%20management%20console.%26nbsp%3BLocal%20device%20admin%20users%20will%20not%20be%20able%20to%20change%20the%20setting.%20This%20ensures%20that%20even%20malicious%20apps%20%E2%80%93%20or%20malicious%20actors%20%E2%80%93%20can%E2%80%99t%20locally%20override%20the%20setting.%20Note%20that%20enterprise%20management%20is%20not%20available%20in%20current%20preview%20versions%20of%20Windows%2010%2C%20but%20we%E2%80%99ll%20be%20bringing%20it%20to%20preview%20shortly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20881px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100288i2563A5D7E43671BB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22windows-security-tamper-protection-enterprise.png%22%20title%3D%22windows-security-tamper-protection-enterprise.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENow%20in%20limited%20preview%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20continuing%20to%20work%20on%20this%20feature%2C%20and%20you%20can%20test%20it%20out%20now%20on%20any%20recent%20Windows%20Insider%20build%20released%20during%20March%202019%20or%20later.%20If%20you%E2%80%99d%20like%20to%20test%20this%20feature%2C%20please%20send%20us%20feedback%20via%20the%20Feedback%20Hub%2C%20or%20email%20us%20at%20%3CA%20href%3D%22mailto%3Awdcustomer%40microsoft.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ewdcustomer%40microsoft.com%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99d%20love%20to%20have%20you%20on%20the%20journey%20so%20we%20can%20use%20your%20feedback%20and%20insights%20to%20deliver%20strong%20protection%20across%20platforms.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20yet%20reaping%20the%20benefits%20of%20Microsoft%20Defender%20ATP%E2%80%99s%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Defender-ATP%2FMITRE-evaluation-highlights-industry-leading-EDR-capabilities-in%2Fba-p%2F369831%22%20target%3D%22_self%22%3Eindustry-leading%20optics%20and%20detection%20capabilities%3C%2FA%3E%3F%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindowsforbusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESign%20up%20for%20free%20trial%20today%3C%2FA%3E%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E%3CSTRONG%3EIaan%20D%E2%80%99Souza-Wiltshire%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FIaanMSFT%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%40iaanMSFT%3C%2FA%3E)%20%26amp%3B%20%3CSTRONG%3EShweta%20Jha%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2F%40shwetajha_MS%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%40shwetajha_MS%3C%2FA%3E)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMicrosoft%20Defender%20ATP%3C%2FEM%3E%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482943%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482943%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20aware%20that%20having%20this%20feature%20on%20breaks%20your%20own%20%22Turn%20off%20Windows%20Defender%20Antivirus%22%20policy%3F%26nbsp%3B%20%22Breaks%22%20as%20in%20has%20no%20effect%20unless%20Tamper%20Protection%20is%20off%3F%26nbsp%3B%20I'm%20thinking%20that%20shouldn't%20be%20by%20design%2C%20if%20it%20is.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-536518%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-536518%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Brian%20-%20Would%20you%20please%20be%20able%20to%20provide%20more%20details%20about%20your%20scenario%20and%20which%20MS%20policy%20you%20are%20talking%20about%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-538771%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-538771%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20too%20much%20more%2C%20since%20that%20is%20its%20exact%20name.%20It's%20located%20in%20Computer%20Configuration%2FAdministrative%20Templates%2FWindows%20Components%2FWindows%20Defender%20Antivirus.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20scenario%20is%20anyone%20who%20wants%20to%20use%20the%20above%20policy%20will%20be%20blindsided%20by%20the%20fact%20that%20it%20no%20longer%20works%20without%20a)%20knowing%20about%20Tamper%20Protection%2C%20and%20b)%20disabling%20it.%20The%20description%20for%20the%20policy%20I%20mentioned%2C%20at%20the%20very%20least%2C%20should%20be%20updated%20to%20reflect%20this%20new%20reality.%20Unless%20it's%20a%20bug%2C%20in%20which%20case%20it%20should%20be%20fixed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539151%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539151%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20pointing%20this%20out%20Brian.%20We%20will%20get%20GP%20policy%20description%20updates.%20Please%20note%20that%20disableantispyware%20is%20not%20supported%20way%20to%20turn%20defender%20off.%20See%20the%20documentation%20here%20%3A%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fcustomize%2Fdesktop%2Funattend%2Fsecurity-malware-windows-defender-disableantispyware%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fcustomize%2Fdesktop%2Funattend%2Fsecurity-malware-windows-defender-disableantispyware%3C%2FA%3E.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EWe%20have%20KB%20article%20having%20this%20note%20added%20as%20well%20%3A%26nbsp%3B%3C%2FFONT%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4490103%2Fwindows-10-prevent-changes-to-security-settings-with-tamper-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4490103%2Fwindows-10-prevent-changes-to-security-settings-with-tamper-protection%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539168%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539168%22%20slang%3D%22en-US%22%3E%3CP%3EYou're%20pointing%20to%20autounattend.xml%20parameters%20docs%20and%20claiming%20that%20the%20group%20policy%20is%20not%20supported.%20Please%20get%20your%20story%20straight.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAnd%20btw%2C%20where's%20the%20tamper%20protection%20documentation%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EYou%20probably%20have%20your%20own%20group%20policy%20for%20tamper%20protection.%20Then%20you%20should%20document%20it.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAre%20there%20any%20other%20group%20policies%20that%20aren't%20compatible%3F%20Document%20it.%20We%20should%20not%20be%20finding%20this%20out%20by%20trial%20and%20error...%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20MSKB%20article%20is%20pathetic.%20And%20while%20I'm%20on%20it%2C%20you%20should%20provide%20the%20full%20(official)%20group%20policy%20name%20instead%20of%20some%20%22key%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539223%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539223%22%20slang%3D%22en-US%22%3E%3CP%3ERight%2C%20that%20unattended%20setting%2C%20which%20I%20didn't%20know%20existed%2C%20isn't%20what%20I%20was%20talking%20about.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539232%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539232%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20Brian%2C%20underneath%20its%20the%20same%20GP%20policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539235%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539235%22%20slang%3D%22en-US%22%3E%3CP%3EOK%2C%20but%20the%20article%20saying%20it's%20not%20%22supported%22%20doesn't%20really%20track%2C%20does%20it%3F%26nbsp%3B%20Because%20it's%20an%20official%20group%20policy%2C%20and%20there's%20no%20hint%20that%20it's%20not%20supported.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20that's%20not%20a%20supported%20method%2C%20what%20is%3F!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539246%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539246%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20question%20is%20why%20do%20you%20want%20to%20turn%20off%20windows%20defender%3F%20I%20would%20like%20to%20udnerstand%20your%20usecase.%20Windows%20Defender%26nbsp%3B%20comes%20with%20OS%20and%20it%20remains%20on%2C%20unless%20any%20other%203P%20AV%20is%20registered%20with%20Windows%20Security%20App.%20Once%20the%20other%20AV%20is%20registered%20with%20WSC%2C%20windows%20defender%20AV%20automatically%20goes%20into%20disable%20mode%2C%20and%20this%20is%20the%20only%20supported%20way%20to%20disable%20defender.%20Happy%20to%20schedule%20sometime%20and%20talk.%20Let%20me%20know.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-539302%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-539302%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20the%20question%20is%20why%20a%20major%20security%20feature%20is%20being%20released%20without%20proper%20documentation%2C%20including%20its%20impact%20on%20other%20features%20such%20as%20Group%20Policies.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20your%20statement%20that%20disabling%20WD%20%5Bvia%20the%20Group%20Policy%5D%20is%20not%20supported%2C%20I'd%20like%20to%20see%20a%20clear%20and%20relevant%20documentation%20(not%20the%20one%20on%20the%20answer%20file%20settings)%20as%20well%20as%20a%20conclusive%20statement%20in%20the%20Group%20Policy%20which%20currently%20supports%20at%20least%20Vista.%20(And%20yes%2C%20I%20see%20the%20%3CEM%3Erecommendation%3C%2FEM%3E%20at%20the%20bottom%20of%20the%20GP%20description).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20680px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112414iD33FE2CB4B0B2E67%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22wd.png%22%20title%3D%22wd.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet's%20schedule%20a%20talk%20about%20this!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-541467%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-541467%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20much%20agreed%2C%20on%20the%20last%20post.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20to%20answer%20Shweta's%20question%2C%20I%20like%20to%20disable%20it%20in%20test%20VMs%2C%20since%20they're%20already%20slow%20enough.%20This%20makes%20them%20more%20usable.%20Having%20AV%20in%20such%20an%20environment%20is%20completely%20N%2FA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-545356%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-545356%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vadim%2C%20as%20I%20said%20before%2C%20we%20will%20get%20GP%20description%20updated.%20Please%20note%20that%20feature%20is%20still%20in%20the%20preview%20and%20official%20document%20is%20yet%20to%20come.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBrian%20-%20Defender%20is%20doign%20what%20it%20is%20supposed%20to%20do%2C%20in%20case%20you%20are%20certain%20about%20the%20environment%20and%20do%20not%20want%20any%20RTP%20overhead%2C%20you%20can%20use%20exclusions%20%3A%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fconfigure-exclusions-windows-defender-antivirus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fconfigure-exclusions-windows-defender-antivirus%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-545452%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-545452%22%20slang%3D%22en-US%22%3EShweta%2C%20there's%20no%20harm%20in%20publishing%20a%20documentation%20preview%20when%20you%20release%20a%20feature%20preview.%20GA%20is%20the%20end%20of%20May%2C%20your%20feature%20set%20is%20ready.%20Please%20send%20a%20comment%20when%20you%20publush%20your%20docs%20so%20we%20can%20see%20how%20serious%20you're.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-549655%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-549655%22%20slang%3D%22en-US%22%3E%3CP%3EShweta%2C%20excluding%20everything%20a)%20isn't%20possible%20and%20b)%20is%20counterproductive.%20I'll%20just%20continue%20to%20disable%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20give%20us%20a%20preview%20of%20what%20the%20updated%20GP%20description%20is%20going%20to%20say%3F%26nbsp%3B%20Is%20it%20that%20it%20has%20a%20dependency%20on%20Tamper%20protection%20(which%2C%20btw%2C%20should%20have%20its%20own%20policy--why%20doesn't%20it%3F)%2C%20or%20what%2C%20that%20we're%20only%20supposed%20to%20look%20at%20it%20longingly%20but%20not%20use%20it%20because%20it%20might%20be%20deprecated%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20think%20you've%20outright%20confirmed%20that%20it's%20%3CEM%3Eintended%3C%2FEM%3E%20to%20have%20said%20dependency.%20You've%20been%20a%20little%20cryptic.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-549814%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-549814%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20tamper%20protection%20also%20prevent%20installation%20of%20third%20party%20AV's%3F%3C%2FP%3E%3CP%3E(As%20we%20have%20a%20group%20of%20dev%20machines%20that%20require%20local%20admin%2C%20and%20I'd%20still%20like%20to%20prevent%20them%20from%20installing%20other%20AV's%20or%20at%20least%20not%20disable%20Defender%20when%20they%20are%20installed)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-569838%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-569838%22%20slang%3D%22en-US%22%3E%3CP%3EDisappointed%20overall%2C%20I%20mean%20this%20Defender%20ATP%20in%20general%20seemed%20so%20enterprise%20grade%20but%20when%20you%20really%20start%20trailing%20it%20the%20limited%20support%20for%20various%20OS's%2C%20etc.%2C%20is%20just%20too%20much%2C%20outside%20of%20Windows%2010%20almost%20everything%20has%20an%20exception.%26nbsp%3B%20Additionally%20it%20doesn't%20seem%20Device%20Threat%20Status%20even%20works%20in%20Intune%20without%20having%20your%20device%20both%20MDM%20Managed%20and%20Azure%20AD%20Domain%20Joined%2C%20MDM%20Managed%20with%20Azure%20AD%20Registered%20and%20the%20status%20never%20changes%20from%20deactivated.%26nbsp%3B%20This%20seems%20strange%20as%20I%20would%20think%20many%20would%20want%20to%20use%20this%20as%20part%20of%20managing%20security%20on%20BYOD%20devices%20as%20well%2C%20it%20almost%20forces%20you%20to%20get%20a%20package%20from%20a%203rd%20party%20to%20address%20the%20all%20up%20concern%2C%20most%20of%20us%20don't%20need%20another%20console%2C%20I%20wanted%20to%20love%20this%20solution%20but%20it%20feels%20a%20year%20or%20two%20away%20from%20being%20ready.%26nbsp%3B%20I%20will%20note%20that%20the%20device%20threat%20level%20detection%20works%20fine%20in%20the%20defender%20security%20center%20but%20losing%20the%20ability%20to%20control%20access%20via%20MCAS%20is%20unfortunate.%26nbsp%3B%20Are%20there%20plans%20to%20enable%20this%20without%20AZ%20AD%20Join%20required%3F%26nbsp%3B%20Any%20updates%20on%20the%20tamper%20protection%2C%20I%20was%20wondering%20why%20the%20setting%20was%20disabled%20with%20no%20way%20to%20manage%20it%20in%20Intune%20or%20locally.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792235%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792235%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%201903%20with%201903%20GPO%20templates%20but%20I%20can't%20enable%20Tamper%20protection%20through%20GPO%20for%20all%20machines.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsers%20are%20constantly%20asking%20question%20about%20that%20!!!!%20mark%20on%20the%20defender%20logo.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20isn't%20this%20integrated%20in%20the%20GPO%20templates%3F!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788839%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788839%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20and%20how%20will%20tamper%20protection%20be%20available%20in%20windows%2010%20business%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20PCs%20running%201903%20but%20tamper%20protection%20not%20showing%20in%20virus%20settings%20page%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20seen%20registry%20key%20values%20of%200%20to%20disable%20and%205%20to%20enable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20tamper%20key%20on%20my%20customer%E2%80%99s%20systems%20is%20set%20to%202%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emore%20interesting%20is%20that%20attempts%20to%20change%20the%20value%20to%200%20or%205%20are%20blocked%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20leads%20me%20to%20thinking%20it%20is%20actually%20enabled%20but%20with%20no%20guidance%20on%20how%20to%20enable%20disable%20or%20config%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792472%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792472%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300463%22%20target%3D%22_blank%22%3E%40Sentry23%3C%2FA%3Ethere%20is%20not%20change%20in%20the%20way%203rd%20party%20AV%20registers%20with%20windows%20security%20app.%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESee%20below%20documentation%20for%20more%20details%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792473%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792473%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388300%22%20target%3D%22_blank%22%3E%40stadmin%3C%2FA%3E%26nbsp%3BGPO%20can%20be%20altered%20by%20local%20admin%20on%20the%20device%20and%20easy%20to%20tampered%20with.%20If%20you%20are%20home%20user%20you%20can%20turn%20feature%20on%2Foff%20from%20windows%20security%20app.%20If%20you%20are%20MDATP%20E5%20customer%2C%20%26nbsp%3BTamper%20protection%20setting%20on%2Foff%20is%20managed%20from%20Intune%2C%20a%20secure%20payload%20issued%20by%20defender%20cloud%20for%20the%20organization%20to%20turn%20the%20feature%20on%2Foff%20%26nbsp%3B(note%3A%20MDATP%20E5%20version%20is%20yet%20to%20be%20GA).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792476%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792476%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20documentation%20is%20a%20copy-paste%20of%20this%20blog%20post.%20You're%20being%20asked%20where%20the%20GP%20for%20the%20new%20feature%20is%2C%20but%20you%20don't%20say%20you%20don't%20have%20it.%20Can't%20you%20give%20a%20clear%20a%20precise%20answer%3A%20%3CEM%3Eyes%2C%20this%20is%20the%20%3CPOLICY%20name%3D%22%22%3E%3C%2FPOLICY%3E%3C%2FEM%3E%26nbsp%3Bor%20%3CEM%3Eno%2C%20we%20don't%20have%20it%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20seriously%20saying%20you%20don't%20have%20GPO%20because%20the%20local%20admin%20can%20alter%20it%3F%20But%20then%20local%20admin%20can%20disable%20your%20new%20feature%20and%20change%20anything.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792477%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792477%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F250160%22%20target%3D%22_blank%22%3E%40enspireditaa%3C%2FA%3E%26nbsp%3B%20-%20is%20your%20device%20managed%20or%20non%20managed%3F%20value%202%20means%20the%20feature%20is%20not%20supported%20on%20the%20device.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERequest%20you%20to%20please%20log%20a%20bug%20using%20feedback%20hub%20%2C%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4021566%2Fwindows-10-send-feedback-to-microsoft-with-feedback-hub-app%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4021566%2Fwindows-10-send-feedback-to-microsoft-with-feedback-hub-app%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ERequest%20you%20to%20please%20also%20add%20support%20cab%3C%2FP%3E%0A%3CP%3E%3CEM%3EFrom%20admin%20cmd.exe%20run%20below%20command%20and%20copy%20cab%20file%20generated.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EFile%20path%20will%20be%20shown%20at%20the%20end%20of%20output%20of%20getfiles%20command%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EC%3A%5CProgram%20Files%5CWindows%20Defender%5CMpCmdRun.exe%20-GetFiles%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792487%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226354%22%20target%3D%22_blank%22%3E%40Vadim%20Sterkin%3C%2FA%3E_%20Tamper%20protection%20feature%20is%20a%20secure%20setting%20and%20does%20not%20have%20GP%2C%20you%20can't%20really%20manage%20the%20feature%20using%20GP.%20If%20you%20are%20home%20user%2C%20you%20can%20turn%20the%20feature%20on%2Foff%20from%20Windows%20Security%20App.%20For%20Microsoft%20Defender%20ATP%26nbsp%3B%20enterprise%20customers%20feature%20can%20be%20managed%20from%20Intune%20only%20(currently%20in%20preview).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792490%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792490%22%20slang%3D%22en-US%22%3EOh%2C%20finally.%20This%20should%20be%20in%20the%20documentation!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792493%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792493%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline-block%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20padding-top%3A%2010px%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20vertical-align%3A%20top%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Contributor%20lia-component-message-view-widget-author-username%22%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20white-space%3A%20nowrap%3B%22%3E%3CA%20id%3D%22link_56%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23666666%3B%20font-weight%3A%20normal%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1392%22%20target%3D%22_self%22%3E%3C%2FA%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1392%22%20target%3D%22_blank%22%3E%40Jerod%20Powell%3C%2FA%3Eif%20you%20are%20MDATP%20E5%20customers%2C%20feature%20management%20from%20Intune%20is%20currently%20available%20in%20private%20preview%20mode%20.%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline-block%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20padding-top%3A%2010px%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20vertical-align%3A%20top%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Contributor%20lia-component-message-view-widget-author-username%22%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20white-space%3A%20nowrap%3B%22%3ELet%26nbsp%3B%20me%20know%20if%20you%20would%20like%20to%20try%20the%20feautre%20out%20and%20provide%20feedback.%20Your%20feedback%20is%20important%20to%20us%20and%20will%20help%20in%20shaping%20up%20the%20feature.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806520%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806520%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20will%20this%20be%20supported%20for%20managed%20devices%20in%20Microsoft%20365%20business%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20keep%20my%20customers%20safe%20from%20trickbot's%20disabling%20of%20defender%20in%20the%20meantime%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-806597%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-806597%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102825%22%20target%3D%22_blank%22%3E%40Shweta%20Jha%3C%2FA%3E%26nbsp%3BI'd%20be%20happy%20to%20try%20out%20the%20Intune%20private%20preview%20if%20Jerod%20isn't%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E.%20We're%20MDATP%20E5.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-807370%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-807370%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F250160%22%20target%3D%22_blank%22%3E%40enspireditaa%3C%2FA%3E-%20Defender%20is%20able%20to%20detect%20and%20remediate%20trickbot's%20if%20your%20device%20has%2Fhad%20latest%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwdsi%2Fdefenderupdates%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Esecurity%20intelligence%20update%3C%2FA%3Eand%2For%20has%20cloud%20protection%20feature%20turned%20on.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-807425%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-807425%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226354%22%20target%3D%22_blank%22%3E%40Vadim%20Sterkin%3C%2FA%3E%26nbsp%3B%20-%20thanks%20for%20your%20feedback%2C%20we%20have%20documentation%20updated%20(See%20FAQ%20section).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-808779%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-808779%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102825%22%20target%3D%22_blank%22%3E%40Shweta%20Jha%3C%2FA%3Ethanks%20much%20-%20could%20you%20please%20elaborate%20on%20what%20protection%20is%20provided%20by%20cloud%20protection%20compared%20to%20tamper%20protection%3F%3C%2FP%3E%3CP%3EAlso%2C%20any%20plans%20to%20add%20some%20or%20all%20of%20Defender%20ATP%20to%20365%20Business%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828234%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828234%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102825%22%20target%3D%22_blank%22%3E%40Shweta%20Jha%3C%2FA%3E%26nbsp%3Bthanks%20for%20updating%20the%20docs%2C%20much%20better%20now!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-830360%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-830360%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291676%22%20target%3D%22_blank%22%3E%40enspireditaa_01%3C%2FA%3E%26nbsp%3B%20-%20Sure%2C%26nbsp%3B%20you%20can%20find%20more%20information%20about%20cloud%20protection%20here%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fenable-cloud-protection-windows-defender-antivirus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fenable-cloud-protection-windows-defender-antivirus%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDefender%20on%20the%20box%20works%20in%20synch%20with%20cloud%20protection%20to%20provide%20next%20gen%20protection%20capacities%2C%20you%20would%20see%20an%20nice%20diagram%20on%20various%20capabilities%20provided%20on%20the%20box%20and%20cloud.%20Tamper%20protection%20on%20the%20other%20hand%20ensures%20changes%20to%20defender%20services%20and%20its%20feature%20are%20not%20tampered%20with.%26nbsp%3B%20See%20this%20document%20for%20details%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%3C%2FA%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-836669%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-836669%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20can't%20find%20the%20intune%20setting%20to%20enable%20tamper%20protection.%20when%20will%20this%20be%20possible%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fprevent-changes-to-security-settings-with-tamper-protection%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F130091i5003636E191CDFE7%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-837053%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-837053%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F207614%22%20target%3D%22_blank%22%3E%40Wolfgang%20Bach%3C%2FA%3E-%20Defender%20tamper%20protection%20feature%20is%20currently%20in%20preview%2C%20I%20sent%20you%20message%20if%20you%20would%20like%20to%20try%20the%20feature%20in%20preview%20mode.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-842797%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-842797%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102825%22%20target%3D%22_blank%22%3E%40Shweta%20Jha%3C%2FA%3EI%20would%20love%20to%20try%20it.%20I%20have%20followed%20the%20steps%20in%20the%20doc%20to%20make%20sure%20I%20meet%20all%20the%20requirements.%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-843133%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-843133%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102825%22%20target%3D%22_blank%22%3E%40Shweta%20Jha%3C%2FA%3E%26nbsp%3BCould%20you%20add%20a%20Group%20Policy%20that%20%3CSTRONG%3Eenables%3C%2FSTRONG%3ETamper%20Protection%20but%20doesn't%20allow%20disabling%20it%20(unless%2C%20of%20course%2C%20you%20physically%20login%20to%20the%20device%20to%20turn%20it%20off%20just%20like%20a%20home%20user)%3F%20That%20way%2C%20it%20would%20still%20not%20allow%20malicious%20programs%20to%20change%20the%20setting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20description%20of%20the%20policy%2C%20you%20could%20indicate%20this%20behavior%20so%20that%20administrators%20know%20what%20they%20are%20getting%20into%20and%20that%20the%20decision%20is%20irreversible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-917544%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-917544%22%20slang%3D%22en-US%22%3E%3CP%3EI%20now%20see%20that%20this%20is%20generally%20available%20for%20unmanaged%20PCs%20and%20e5%20PCs%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esure%20seems%20like%20365%20business%20is%20now%20less%20secure%20than%20an%20unmanaged%20PC%20wrt%20tamper%20protection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20Undermines%20the%20idea%20that%20365%20business%20is%20more%20secure%2C%20which%20WAS%20a%20key%20selling%20point%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-920114%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-920114%22%20slang%3D%22en-US%22%3EOkay%20so%2C%20I%20care%20about%20security%2C%20I%20understand%20the%20value%2C%20I%20accept%20why%20it%20is%20implemented%20the%20way%20it%20is%2C%20I%20think%20it's%20overall%20a%20positive%20move.%20However%2C%20I%20see%20a%20big%20issue%20i'm%20not%20seeing%20a%20real%20solution%20to.%20Say%20I%20get%20200%20new%20Windows%2010%20machines%2C%20they%20will%20come%20Windows%20Defender%20and%20Tamper%20Protection%20enabled%20out%20the%20box%2C%20so%20far%20so%20good.%20Lets%20understand%20and%20accept%20the%20context%20that%20I%20do%20not%20have%20Intune%2C%20I%20don't%20plan%20to%20use%20Intune%2C%20instead%20like%20most%20businesses%20I%20rely%20on%20group%20policy%20and%20powershell%20to%20manage%20the%20200%20devices%2C%20so%20far%20so%20good.%20If%20i%20try%20to%20use%20powershell%20or%20group%20policy%20to%20disable%20windows%20defender%20it%20wont%20have%20any%20effect.%20That%20i%20accept%2C%20its%20not%20supported%2C%20you're%20protecting%20me%2C%20windows%20is%20a%20service%2C%20tamper%20protection%20protects%20me%20even%20from%20bad%20admins%2C%20good%20good%20good%20and%20good.%20However!%20Windows%20Defender%20PUA%20(potentially%20unwanted%20application)%20protection%20is%20disabled%20by%20default%2C%20Network%20Protection%20(like%20system%20wide%20smart%20screen)%20is%20disabled%20by%20default%2C%20ASR%20(attack%20surface%20reduction)%20rules%20are%20disabled%20by%20default.%20So%20I%20go%20off%20and%20do%20my%20little%20powershell%20thing%20to%20enable%20those%20defender%20features%20on%20those%20200%20machines.%20(Set-MpPreference%20-PUAProtection%20Enabled%20Set-MpPreference%20-EnableNetworkProtection%20Enabled%20Set-MpPreference%20-AttackSurfaceReductionRules_Ids%20blah%20blah%20blah)%20I%20then%20wanna%20check%20that%20its%20worked%20as%20intended%20so%20I%20do%20a%20Get-MpPreference%20and%20they'll%20report%20back%20that%20those%20features%20are%20enabled%20as%20I%20configured%20them%2C%20everything%20is%20fine%20right%3F%20wrong!%20Tamper%20Protection%20means%20PUA%2Fnetwork%2FASR%20protections%20are%20still%20disabled%20even%20when%20powershell%20reports%20they%20are%20now%20turned%20on.%20The%20only%20way%20i%20can%20be%20sure%20is%20to%20physically%20connect%20to%20the%20machine%20and%20run%20evaluations%20to%20check%20the%20features%20are%20functioning%2C%20and%20they%20are%20not%20functioning%2C%20despite%20the%20fact%20that%20Get-MpPreference%20implies%20otherwise.%20Is%20it%20really%20the%20case%2C%20that%20i%20have%20to%20go%20to%20every%20single%20one%20of%20these%20200%20machines%2C%20turn%20off%20tamper%20protection%2C%20enable%20PUA%20protection%2C%20enable%20network%20protection%2C%20enable%20ASR%20rules%2C%20and%20then%20turn%20tamper%20protection%20back%20on%3F%20Thats%20really%20what%20i%20have%20to%20do%20to%20enable%20these%20basic%20security%20features%3F%20One%20by%20one%20on%20all%20200%20machines%3F%20and%20then%20i%20still%20cant%20check%20remotely%20on%20a%20regular%20basis%20if%20they%20are%20on%20because%20the%20powershell%20is%20a%20lie%3F%20There's%20the%20view%20that%20defender%20isn't%20that%20good%2C%20and%20i%20tell%20people%20it%20is%20good%2C%20and%20the%20thing%20holding%20it%20back%20is%20mainly%20that%20PUA%20detection%20is%20off%20by%20default%2C%20unlike%20every%20other%20AV%20on%20the%20market%20(thats%20how%20malwarebytes%20got%20its%20fame%2C%20its%20not%20actually%20better).%20My%20advice%20to%20those%20people%20is%20to%20turn%20on%20PUA%20protection%20on%20via%20group%20policy%20or%20powershell%2C%20and%20consider%20turning%20on%20network%20protection%2C%20implementing%20the%20ASR%20rules.%20But%20now%20doing%20so%20will%20have%20no%20effect%2C%20because%20tamper%20protection%20blocks%20them.%20and%20even%20worse%2C%20group%20policy%20and%20powershell%20both%20imply%20to%20administrators%20that%20the%20features%20are%20enabled%20and%20running%2C%20when%20they're%20actually%20completely%20disabled!%20I'm%20all%20for%20tamper%20protection%2C%20but%20forcing%20me%20to%20use%20intune%20just%20to%20enable%20PUA%20protection%20is%20terrible!%20and%20what%20about%20home%20users%3F%20why%20is%20there%20no%20option%20for%20PUA%20protection%20in%20the%20security%20centre%20gui%3F%3F%3F%3F%20Tamper%20protection%20has%20been%20around%20since%20April%2C%20i've%20used%20it%2C%20the%20documentation%20was%20originally%20brief%20and%20incorrect%20(might%20still%20be)%2C%20i've%20learnt%20it%20was%20what%20broke%20these%20security%20features%20from%20being%20enabled%2C%20i%20assumed%20it'd%20be%20getting%20fixed%20in%2019h2%20or%2020h1.%20Now%20you're%20saying%20no%2C%20its%20not%20being%20fixed%2C%20but%20instead%20its%20being%20rolled%20out%20and%20turned%20on%20by%20default%20so%20basic%20critical%20features%20such%20as%20blocking%20known%20malicious%20software%20and%20known%20malicious%20websites%20are%20now%20prevented%20from%20being%20enabled%20by%20the%20people%20that%20need%20the%20protection%20the%20most%3F%3F%20I%20mean%20no%20disrespect%20at%20all%20but%20I%20simply%20cannot%20log%20into%20all%20200%20computers%20one%20by%20one%20to%20disable%20tamper%20protection%20(which%20i%20want%20enabled)%20to%20enable%20security%20features%20that%20should%20be%20on%20by%20default.%20Does%20nobody%20else%20see%20this%20as%20a%20massive%20issue%3F%3F%20It%20seems%20like%20one%20step%20forward%20and%20two%20steps%20back.%20And%20holding%20back%20basic%20functionality%20and%20using%20it%20to%20shill%20Azure%20AD%20and%20Intune%20is%20the%20exact%20opposite%20of%20market%20leadership%2C%20or%20%22advanced%20threat%20protection%22.%20Please%20please%20address%20this%2C%20and%20i%20apologise%20for%20my%20impolite%20tone%20and%20general%20rant%2C%20it%20is%20not%20intended%20at%20anybody%20specifically.%20(PS%20I%20genuine%20wish%20Microsoft%20followed%20through%20with%20important%20projects%20like%20nano%20server%20and%20REFS%20that%20were%20thrown%20to%20one%20side%20because%20despite%20being%20the%20future%20turns%20out%20you%20can%20save%20money%20for%20a%20couple%20quarters%20by%20giving%20up%20and%20screwing%20stakeholders.%20This%20seems%20like%20one%20of%20those%20things.)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-995809%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-995809%22%20slang%3D%22en-US%22%3E%3CP%3EI%20need%20a%20way%20to%20problematically%20disable%20Tamper%20Protection.%3C%2FP%3E%3CP%3EI%20perform%20security%20product%20testing%20and%20evaluation%20in%20a%20small%20Active%20Directory%20environment.%3C%2FP%3E%3CP%3EMy%20testing%20requires%20that%20I%20completely%20disable%20Windows%20Defender%20so%20that%20I%20can%20accurately%20measure%20a%20security%20product's%20ability%20to%20detect%20specific%20cyber%20threats.%3C%2FP%3E%3CP%3EPresently%2C%20I%20have%20to%20manually%20disable%20Tamper%20Protection%20in%20the%20GUI%20over%205%20hosts%20in%20order%20to%20perform%20our%20tests%2C%20and%20its%20needlessly%20tedious.%3C%2FP%3E%3CP%3EWe%20do%20not%20have%20Intune.%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20I%20can%20disable%20Tamper%20Protection%20from%20PowerShell%20with%20Domain%20Admin%20rights%3F%3C%2FP%3E%3CP%3EIs%20there%20another%20solution%20other%20than%20disabling%20Tamper%20Protection%20manually%20through%20the%20GUI%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008238%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008238%22%20slang%3D%22en-US%22%3E%3CP%3ESo%2C%20if%20you%20want%20to%20%3CSTRONG%3EENABLE%20Tamper%20Protection%3C%2FSTRONG%3E%20with%20GPO%2C%20you%20must%20create%20%3CSTRONG%3ESTARTUP%20SCRIPT%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157170i8D5EA54DCEC14403%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EClick%20%3CSTRONG%3EADD%3C%2FSTRONG%3E%20%2C%20then%20on%20%3CSTRONG%3EScript%20Name%26nbsp%3B%3C%2FSTRONG%3Ewrite%20%3CSTRONG%3Epowershell.exe%26nbsp%3B%3C%2FSTRONG%3E.%20On%20%3CSTRONG%3EScript%20Parameters%3C%2FSTRONG%3E%20field%20write%20following%20script%3A%3C%2FP%3E%3CPRE%3Estart-sleep%20-s%2020%20%3B%20if%20((Get-ItemProperty%20-Path%20'HKLM%3A%5CSOFTWARE%5CMicrosoft%5CWindows%20Defender%5CFeatures').tamperprotection%20-ne%205%20)%20%7BSet-MpPreference%20-DisableRealtimeMonitoring%201%20%3B%20start-sleep%20-s%202%20%3B%20REG%20ADD%20'HKLM%5CSOFTWARE%5CMicrosoft%5CWindows%20Defender%5CFeatures'%20%2Fv%20TamperProtection%20%2Ft%20REG_DWORD%20%2Fd%205%20%2Ff%20%3B%20start-sleep%20-s%202%20%3B%20Set-MpPreference%20-DisableRealtimeMonitoring%200%7D%3C%2FPRE%3E%3CP%3EThe%20code%20must%20be%20on%20one%20line%20!%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157173i4AFB671740619942%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EClick%20%3CSTRONG%3EOK%3C%2FSTRONG%3E%20to%20save.%20Link%20this%20GPO%20to%20your%20%3CSTRONG%3EComputers%3C%2FSTRONG%3E%20container%20and%20then%20run%20%3CSTRONG%3Egpupdate%3C%2FSTRONG%3E%26nbsp%3Bin%20%3CSTRONG%3EPowershell%3C%2FSTRONG%3E%20on%20%3CSTRONG%3EWindows%20Server%3C%2FSTRONG%3E%26nbsp%3B.%3CBR%20%2F%3EThe%20value%20of%20register%20that%20controlling%20Tamper%20Protection%20must%20be%20%3CSTRONG%3E5%3C%2FSTRONG%3E%20to%20be%20active.%20You%20can't%20change%20this%20value%20without%20system%20account.%20This%20script%20will%20check%20the%20value%20of%20the%20registry%20and%20if%20the%20value%20is%20not%20%3CSTRONG%3E5%3C%2FSTRONG%3E%20-%20the%20script%20will%20change%20it%20to%20%3CSTRONG%3E5%3C%2FSTRONG%3E.%26nbsp%3BThe%20changes%20will%20be%20applied%20on%20client%20computers%20after%20two%20restarts.%20First%20is%20for%20changing%20the%20registry%20value%20to%205%20.%20Second%20restart%20is%20for%20applying%20changes%20in%20Windows%20Defender.%20In%20two%20words%20-%20link%20this%20GPO%20to%20target%20machine.%20You%20may%20run%20%3CSTRONG%3Egpupdate%3C%2FSTRONG%3E%20on%20target%20machines%20or%20force%20the%20GPO%2C%20because%26nbsp%3B%3CSPAN%3Eotherwise%20the%20restarts%20may%20be%203%20times.%3CBR%20%2F%3EIf%20you%20want%20to%20disable%20Windows%20Tamper%20Protection%20with%20this%20method%2C%20you%20must%20change%20value%20to%20%3CSTRONG%3E0%3C%2FSTRONG%3E%20or%20other%20different%20than%20%3CSTRONG%3E5%3C%2FSTRONG%3E.%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CPRE%3Estart-sleep%20-s%2020%20%3B%20if%20((Get-ItemProperty%20-Path%20'HKLM%3A%5CSOFTWARE%5CMicrosoft%5CWindows%20Defender%5CFeatures').tamperprotection%20-ne%200%20)%20%7BSet-MpPreference%20-DisableRealtimeMonitoring%201%20%3B%20start-sleep%20-s%202%20%3B%20REG%20ADD%20'HKLM%5CSOFTWARE%5CMicrosoft%5CWindows%20Defender%5CFeatures'%20%2Fv%20TamperProtection%20%2Ft%20REG_DWORD%20%2Fd%200%20%2Ff%20%3B%20start-sleep%20-s%202%20%3B%20Set-MpPreference%20-DisableRealtimeMonitoring%200%7D%3C%2FPRE%3E%3CP%3E%3CSPAN%3EThe%20start-sleep%20in%20the%20begin%20is%20to%20wait%20for%20the%20system%20to%20start%20Windows%20Defender.%20You%20can%20use%20this%20script%20in%20%3CSTRONG%3EPowershell%3C%2FSTRONG%3E%2C%20but%20you%20must%20run%20%3CSTRONG%3EPowershell%3C%2FSTRONG%3E%20with%20%3CSTRONG%3ENT%5CSystem%3C%2FSTRONG%3E%20account%20%3CEM%3E(eg.%20with%20PSexec%20-%26gt%3B%3CSTRONG%3E%20psexec.exe%20-s%20-i%20powershell.exe%3C%2FSTRONG%3E)%26nbsp%3B.%26nbsp%3B%3C%2FEM%3EIn%20this%20case%20the%20script%20can%20be%20entered%20without%20start-sleep%20in%20the%20begin%20%3A)%3C%2Fimg%3E%26nbsp%3B%3CBR%20%2F%3EThis%20is%20tested%20on%20about%20180%20computers%20in%20company%20and%20working.%20%3CU%3E%3CSTRONG%3EThe%20problem%20with%20turned%20off%20Tamper%20Protection%20still%20exits%20after%20upgrade%20to%20Windows%2010%20version%201909!%3C%2FSTRONG%3E%3C%2FU%3E%20.%20Sorry%20for%20my%20bad%20English%20and%20have%20a%20nice%20day!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1010126%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1010126%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F457671%22%20target%3D%22_blank%22%3E%40zik91%3C%2FA%3E%20-%20thanks%20for%20your%20reseach%20and%20posting%20this%20to%20us.%20I%20have%20asked%20our%20engineering%20team%20to%20look%20into%20this%20and%20update.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1187052%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1187052%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F457671%22%20target%3D%22_blank%22%3E%40zik91%3C%2FA%3E%20thank%20you%20for%20the%20script!%20However%20I%20got%20some%20strange%20effects%20when%20using%20GPO%20as%20startup%20script.%20Got%20%22Access%20denied%22%20when%20running%20gpresult%20%2FR%20etc.%20Solution%20was%20to%20create%20a%20scheduled%20task%20that%20runs%20as%20SYSTEM%20at%20system%20start.%20Now%20my%20machines%20have%20tamper%20protection%20on!%20Tested%20on%201903%20and%201909.%20%3Athumbs_up%3A%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1432585%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1432585%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20in%20a%20Co-Managed%20environment%20but%20have%20the%20Endpoint%20Protection%20workloadmworkload%20by%20Configuration%20Manager.%26nbsp%3B%20I%20would%20like%20to%20be%20able%20to%20toggle%20Tamper%20Protection%20On%2FOff%20in%20without%20switching%20the%20whole%20workload%20to%20Intune.%26nbsp%3B%20Why%20can't%20we%20have%20this%20control%20in%20Config%20Manager%20directly%20or%20a%20way%20that%20this%20can%20be%20set%20in%20Intune%20without%20moving%20workload%3F%3C%2FP%3E%3CP%3EI%20see%20someone%20has%20posted%20Powershell%20command%20to%20enable%20Tamper%20Protection.%26nbsp%3B%20Is%20this%20supported%2C%20if%20so%20I%20can%20make%20use%20of%20this%20in%20a%20Config%20Manger%20baseline%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1438581%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1438581%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F448813%22%20target%3D%22_blank%22%3E%40AlexLedger%3C%2FA%3E%26nbsp%3B-%20Support%20for%20the%20devices%20managed%20through%20ConfigMgr%20is%20under%20development.%20We%20hear%20you%20and%20have%20been%20working%20on%20the%20resolution%20for%20our%20customers%20to%20be%20able%20to%20turn%20the%20feature%20on%20for%20the%20SCCM%2FConfigMgr%20managed%20devices%20without%20moving%20to%20Intune%20management.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448165%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448165%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102825%22%20target%3D%22_blank%22%3E%40Shweta%20Jha%3C%2FA%3E%26nbsp%3BDo%20you%20have%20a%20roadmap%20or%20time%20line%20for%20%3CSPAN%3Ethe%20feature%20on%20for%20the%20SCCM%2FConfigMgr%20managed%20devices%20without%20moving%20to%20Intune%20management%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1504508%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1504508%22%20slang%3D%22en-US%22%3E%3CP%3EMaybe%20I%20am%20missing%20something%2C%20but%20%3CEM%3Ewhy%3C%2FEM%3E%20is%20not%20Group%20Policy%20management%20of%20tampering%20not%20available%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20mean%2C%20if%20some%20rogue%20admin%20or%20intruder%20gain%20full%20access%20to%20Group%20Policy%2C%20disabling%20of%20tamper%20protection%20would%20not%20be%20my%20biggest%20worry.%20They%20would%20own%20the%20entire%20AD%20within%20minutes%20anyway.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1612891%22%20slang%3D%22en-US%22%3ERe%3A%20Tamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1612891%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102825%22%20target%3D%22_blank%22%3E%40Shweta%20Jha%3C%2FA%3E%26nbsp%3B%20We%20also%20need%20this.%26nbsp%3B%20If%20you%20use%20SCCM%20with%20MBAM%20you%20can't%20use%20tamper%20protection.%26nbsp%3B%20I%20have%20asked%20for%26nbsp%3B%20DCR%20from%20the%20team%20but%20I%20think%20we%20need%20more%20customers%20to%20mention%20this.%26nbsp%3B%20As%20soon%20as%20you%20move%20the%20workload%20you%20loose%20all%20ability%20to%20manage%20MBAM%20on%20premise.%26nbsp%3B%20%26nbsp%3BIf%20SCCM%20could%20manage%20tamper%20protection%2C%20or%20even%20MDATP%20that%20would%20be%20a%20huge%20win.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389571%22%20slang%3D%22en-US%22%3ETamper%20protection%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389571%22%20slang%3D%22en-US%22%3E%3CP%3EUpdate%20(October%2014%2C%202019)%3A%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Defender-ATP%2FTamper-protection-now-generally-available-for-Microsoft-Defender%2Fba-p%2F911482%22%20target%3D%22_self%22%3ETamper%20protection%20is%20now%20generally%20available%3C%2FA%3E%20for%20Microsoft%20Defender%20ATP%20customers%20and%20enabled%20by%20default%20for%20home%20users%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20committed%20to%20making%20our%20solutions%20resistant%20to%20attacks%20and%20continuously%20working%20towards%20raising%20the%20bar%20in%20security.%20In%20this%20blog%20we%E2%80%99re%20covering%20the%20tamper%20protection%20feature%20in%20our%20antimalware%20solution.%20This%20feature%26nbsp%3Bbuilds%20on%20our%20previously%20announced%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2018%2F10%2F26%2Fwindows-defender-antivirus-can-now-run-in-a-sandbox%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Defender%20Antivirus%20sandboxing%20capability%3C%2FA%3E%20and%20expands%20existing%20tamper%20protection%20strategies%20across%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindowsforbusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20Advanced%20Threat%20Protection%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETamper%20protection%20is%20a%20new%20setting%20available%20in%20the%20Windows%20Security%20app%20which%20provides%20additional%20protections%20against%20changes%20to%20key%20security%20features%2C%20including%20limiting%20changes%20that%20are%20not%20made%20directly%20through%20the%20app.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20a%20home%20user%2C%20you%20can%20toggle%20the%20setting%20from%20the%20Virus%20%26amp%3B%20threat%20protection%20settings%20area%20in%20the%20app.%20For%20enterprise%20environments%2C%20the%20setting%20can%20be%20managed%20centrally%20through%20the%20Intune%20management%20portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20continuing%20to%20work%20on%20the%20feature%2C%20but%20the%20current%20version%20of%20the%20setting%20is%20available%20to%20Windows%20Insiders%20today.%20The%20full%20functionality%20of%20the%20feature%20(including%20support%20for%20enterprise-level%20management)%20will%20be%20released%20along%20with%20the%20upcoming%20release%20of%20Windows%2010.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22windows-security-tamper-protection.jpg%22%20style%3D%22width%3A%20989px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100287iA445E1254049AE5C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22windows-security-tamper-protection.jpg%22%20alt%3D%22windows-security-tamper-protection.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnabling%20this%20feature%20prevents%20others%20(including%20malicious%20apps)%20from%20changing%20important%20protection%20features%20such%20as%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EReal-time%20protection%2C%20which%20is%20the%20core%20antimalware%20scanning%20feature%20of%20Microsoft%20Defender%20ATP%20next%20gen%20protection%20and%20should%20rarely%2C%20if%20ever%2C%20be%20disabled%3C%2FLI%3E%0A%3CLI%3ECloud-delivered%20protection%2C%20which%20uses%20our%20cloud-based%20detection%20and%20prevention%20services%20to%20block%20never-before%20seen%20malware%20within%20seconds%3C%2FLI%3E%0A%3CLI%3EIOAV%2C%20which%20handles%20the%20detection%20of%20suspicious%20files%20from%20the%20Internet%3C%2FLI%3E%0A%3CLI%3EBehavior%20monitoring%2C%20which%20works%20with%20real-time%20protection%20to%20analyze%20and%20determine%20if%20active%20processes%20are%20behaving%20in%20a%20suspicious%20or%20malicious%20way%20and%20blocks%20them%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20feature%20also%20prevents%20the%20deletion%20of%20security%20intelligence%20updates%20and%20the%20disabling%20of%20the%20entire%20antimalware%20solution.%20Note%3A%20There's%20no%20change%20in%20the%20way%20third-party%20antivirus%20solutions%20are%20registered%20with%20the%20Windows%20Security%20app.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Windows%20home%20users%2C%20the%20feature%20will%20be%20On%20by%20default%20when%20Windows%20is%20installed.%20If%20you%20are%20upgrading%20and%20Cloud-delivered%20protection%20is%20enabled%2C%20then%20the%20tampering%20protection%20feature%20will%20also%20be%20turned%20On.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20enterprise%20E5%20customers%20(such%20as%20those%20with%20a%20Microsoft%20Defender%20ATP%20license)%2C%20this%20feature%20will%20be%20opt-in%20and%20can%20only%20be%20managed%20from%20the%20Intune%20management%20console.%26nbsp%3BLocal%20device%20admin%20users%20will%20not%20be%20able%20to%20change%20the%20setting.%20This%20ensures%20that%20even%20malicious%20apps%20%E2%80%93%20or%20malicious%20actors%20%E2%80%93%20can%E2%80%99t%20locally%20override%20the%20setting.%20Note%20that%20enterprise%20management%20is%20currently%20in%20preview.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22windows-security-tamper-protection-enterprise.png%22%20style%3D%22width%3A%20881px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100288i2563A5D7E43671BB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22windows-security-tamper-protection-enterprise.png%22%20alt%3D%22windows-security-tamper-protection-enterprise.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20continuing%20to%20work%20on%20this%20feature%2C%20and%20you%20can%20test%20it%20out%20now%20on%20any%20recent%20Windows%20Insider%20build%20released%20during%20March%202019%20or%20later.%20If%20you%E2%80%99d%20like%20to%20test%20this%20feature%2C%20please%20send%20us%20feedback%20via%20the%20Feedback%20Hub%2C%20or%20email%20us%20at%20%3CA%20href%3D%22mailto%3Awdcustomer%40microsoft.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ewdcustomer%40microsoft.com%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99d%20love%20to%20have%20you%20on%20the%20journey%20so%20we%20can%20use%20your%20feedback%20and%20insights%20to%20deliver%20strong%20protection%20across%20platforms.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20yet%20reaping%20the%20benefits%20of%20Microsoft%20Defender%20ATP%E2%80%99s%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Defender-ATP%2FMITRE-evaluation-highlights-industry-leading-EDR-capabilities-in%2Fba-p%2F369831%22%20target%3D%22_self%22%3Eindustry-leading%20optics%20and%20detection%20capabilities%3C%2FA%3E%3F%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwindowsforbusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESign%20up%20for%20free%20trial%20today%3C%2FA%3E%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E%3CSTRONG%3EIaan%20D%E2%80%99Souza-Wiltshire%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FIaanMSFT%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%40iaanMSFT%3C%2FA%3E)%20%26amp%3B%20%3CSTRONG%3EShweta%20Jha%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2F%40shwetajha_MS%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%40shwetajha_MS%3C%2FA%3E)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMicrosoft%20Defender%20ATP%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-389571%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ETamper%20protection%20is%20a%20new%20setting%20available%20in%20the%20Windows%20Security%20app%20which%20provides%20additional%20protections%20against%20changes%20to%20key%20security%20features%2C%20including%20limiting%20changes%20that%20are%20not%20made%20directly%20through%20the%20app.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22windows-security-tamper-protection.png%22%20style%3D%22width%3A%20480px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100289i74B3F5AECB957FEB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22windows-security-tamper-protection.png%22%20alt%3D%22windows-security-tamper-protection.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-389571%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ETamper%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Sep 24 2020 05:35 PM
Updated by: