Search This Blog

Thursday, April 2, 2020

Defender tamper protection

Microsoft Defender

When our clients get unwanted guests, one thing they will often try is to disable Windows security features, like our antivirus protection.

Now with the right license in place we can prevent this from occurring, the following actions can be prevented:

  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling cloud-delivered protection
  • Removing security intelligence updates

Tamper protection will prevent changes to Windows Defender using PowerShell, registry changes and through group policy settings.

In order to use tamper protection you nee access to Microsoft Defender Advanced Threat Protection through a Windows 10 enterprise E5 license.

Before changing anything we can verify the current status of this feature in Virus and threat protection settings.

image

The status can also be seen with the PowerShell command Get-MpComputerStatus | select IsTamperProtected.

image

We will then try to see that we can disable Windows Defender by a simple policy change.

image

Update policies.

image

And shortly after the services will change status from running to nothing.

image

And we can see that Virus and threat protection is not running.

image

So we are able to stop Windows defender with a GPO, let’s make sure the GPO is disabled again and that the services are restarted.

image

Now it’s time to try to enable the tamper protection feature with the Microsoft Endpoint manager admin center (https://endpoint.microsoft.com/).

Here we create a new configuration profile.

image

Select Platform as Windows 10 and later and Profile as Endpoint protection, and then click Create.

image

Name the profile and select Microsoft Defender Security Center.

image

Enable Tamper Protection and click OK.

image

Click OK again.

image

And the Create the profile.

image 

Whit the profile created , assign it to a group.

image

Select the desired group and Save.

image

Sync your device or just wait for the configuration to be assigned.

image

Now we can see that tamper protection is active with PowerShell.

image

And in Virus and threat protection settings.

image

No let’s try to change the GPO again.

image

This time nothings happen, the GPO is written to registry as expected.

image

But Windows defender stays active.

image 

No comments:

Post a Comment