Tamper Protection for Microsoft Defender, the antimalware software that is built-in to Windows 10, first appeared in the Windows 10 May 2019 Update (19H1). It is designed to prevent users and malicious software from modifying registry-based settings for Defender that could make a system vulnerable to attack. You may have noticed that Tamper Protection wasn’t enabled by default in Windows 10 19H1. But that is due to change over the coming weeks as Microsoft looks to enable the setting out-of-the-box. According to a report by ZDNet’s Catalin Cimpanu, Microsoft says that starting October 14th, Tamper Protection will be enabled by default for all users in the coming weeks in a multistage rollout.
When Microsoft Defender or Defender ATP Tamper Protection is enabled, malicious software and users won’t be able to change the following features via the registry, Group Policy, or using PowerShell:
What’s interesting about Tamper Protection is that when enabled, protected Defender features can’t be changed using Intune, System Center Configuration Manager, and Windows Management Instrumentation. Any requests to change settings will be ignored. And there won’t be any Group Policy setting allowing enterprises to enable Tamper Protection across devices. Again, according to ZDNet’s report, Microsoft says:
“When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it’s sent to endpoints. The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control.”
So, Tamper Protection can only be turned on/off centrally on devices managed by Microsoft Intune and where Microsoft Defender Advanced Threat Protection (ATP) E5 is deployed. Enterprises using Microsoft Defender ATP will see an alert if the status of Tamper Protection changes on a device. In addition to the requirements already mentioned for Tamper Protection, there are some more requirements if you want to manage Tamper Protection using Intune:
Users wanting to manually enable Tamper Protection can do so using the Windows Security app in Windows 10.
As I wrote recently on Petri, Microsoft has been investing heavily in security over the past several years and it appears to be paying off. And because Defender is also used as the basis for Defender ATP, which is an enterprise-class solution, it needs to be more than just ‘good enough’.
Defender won an AV-Test award in the home user category for Windows 10 malware protection for products tested in May and June 2019. Microsoft Defender came joint top with Symantec Norton Security, Kaspersky Internet Security, and F-Secure SAFE; closely followed by McAfee Internet Security Trend Micro Internet Security. Adding Tamper Protection by default only helps to increase the product’s already effective protection.