Go to mindcore.dk

Defender tamper protection

Defender tamper protection

Microsoft Defender

When our clients get unwanted guests, one thing they will often try is to disable Windows security features, like our antivirus protection.

Now with the right license in place we can prevent this from occurring, the following actions can be prevented:

  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling cloud-delivered protection
  • Removing security intelligence updates

Tamper protection will prevent changes to Windows Defender using PowerShell, registry changes and through group policy settings.

In order to use tamper protection you nee access to Microsoft Defender Advanced Threat Protection through a Windows 10 enterprise E5 license.

Before changing anything we can verify the current status of this feature in Virus and threat protection settings.

image

The status can also be seen with the PowerShell command Get-MpComputerStatus | select IsTamperProtected.

image

We will then try to see that we can disable Windows Defender by a simple policy change.

image

Update policies.

image

And shortly after the services will change status from running to nothing.

image

And we can see that Virus and threat protection is not running.

image

So we are able to stop Windows defender with a GPO, let’s make sure the GPO is disabled again and that the services are restarted.

image

Now it’s time to try to enable the tamper protection feature with the Microsoft Endpoint manager admin center (https://endpoint.microsoft.com/).

Here we create a new configuration profile.

image

Select Platform as Windows 10 and later and Profile as Endpoint protection, and then click Create.

image

Name the profile and select Microsoft Defender Security Center.

image

Enable Tamper Protection and click OK.

image

Click OK again.

image

And the Create the profile.

image 

Whit the profile created , assign it to a group.

image

Select the desired group and Save.

image

Sync your device or just wait for the configuration to be assigned.

image

Now we can see that tamper protection is active with PowerShell.

image

And in Virus and threat protection settings.

image

No let’s try to change the GPO again.

image

This time nothings happen, the GPO is written to registry as expected.

image

But Windows defender stays active.

image 

Lars Lohmann
+ posts
Share this post

Table of Contents

Share this post
Search blog posts
Search
Authors

Mattias Melkersen Kalvåg

Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.

View profile

Linkedin Youtube Twitter

Sune Thomsen

Modern Workplace consultant and a Microsoft MVP in Windows and Devices.

View profile

Linkedin Twitter

Lars Lohmann Blem

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

View profile

Linkedin Twitter

Michael Nielsen

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

View profile

Linkedin

Michael Morten Sonne

Cloud & security specialist with focus on Microsoft 365.

View profile

Linkedin

Daniel Britze

Cloud & Security Specialist, with a passion for all things Cybersecurity

View profile

Linkedin

Frank van Zandwijk

Cloud and infrastructure security specialist with background in networking.

View profile

Linkedin

Henning Hofflund

Infrastructure architect with focus on design, implementation, migration and consolidation.

View profile

Linkedin

Martin Vittrup Henriksen

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

View profile

Linkedin Twitter

Marcin Chwala

Modern workplace and infrastructure architect with a focus on Microsoft 365 and security.

View profile

Linkedin
follow us in feedly
Categories

    • Follow on SoMe

    Linkedin Twitter

    Contact us

    Follow us

    Linkedin Twitter