When our clients get unwanted guests, one thing they will often try is to disable Windows security features, like our antivirus protection.
Now with the right license in place we can prevent this from occurring, the following actions can be prevented:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling cloud-delivered protection
- Removing security intelligence updates
Tamper protection will prevent changes to Windows Defender using PowerShell, registry changes and through group policy settings.
In order to use tamper protection you nee access to Microsoft Defender Advanced Threat Protection through a Windows 10 enterprise E5 license.
Before changing anything we can verify the current status of this feature in Virus and threat protection settings.
The status can also be seen with the PowerShell command Get-MpComputerStatus | select IsTamperProtected.
We will then try to see that we can disable Windows Defender by a simple policy change.
And shortly after the services will change status from running to nothing.
And we can see that Virus and threat protection is not running.
So we are able to stop Windows defender with a GPO, let’s make sure the GPO is disabled again and that the services are restarted.
Now it’s time to try to enable the tamper protection feature with the Microsoft Endpoint manager admin center (https://endpoint.microsoft.com/).
Here we create a new configuration profile.
Select Platform as Windows 10 and later and Profile as Endpoint protection, and then click Create.
Name the profile and select Microsoft Defender Security Center.
Enable Tamper Protection and click OK.
Click OK again.
And the Create the profile.
Whit the profile created , assign it to a group.
Select the desired group and Save.
Sync your device or just wait for the configuration to be assigned.
Now we can see that tamper protection is active with PowerShell.
And in Virus and threat protection settings.
No let’s try to change the GPO again.
This time nothings happen, the GPO is written to registry as expected.
But Windows defender stays active.