pixel_dreams - Fotolia
One of the greatest threats to enterprise PCs is malware -- or even innocuous applications -- that tamper with system configuration settings and potentially create new vulnerabilities and weaken the system against future attacks.
With the Windows 10 1903 release, Microsoft introduced Tamper Protection to the Windows Security application, which enables IT admins to make it more difficult for other applications to alter sensitive security settings on the PC. There are some caveats to using Tamper Protection in Windows 10, however, so IT admins should understand how it works.
What is Tamper Protection in Windows 10?
When enabled, Tamper Protection prevents changes to important system security configuration settings -- especially changes that are not made directly through the Windows Security application. The goal is to prevent malicious software -- or even third-party applications -- from changing important security settings in Windows Defender Antivirus and other tools. Tamper Protection is available for both Home and Enterprise versions of Windows 10.
When Tamper Protection is enabled, outside applications will no longer be able to change settings for real-time protection, which is part of the antimalware scanning feature of Microsoft Defender ATP; settings for Microsoft's Windows Defender Antivirus cloud-based malware protection services; settings for IOfficeAntivirus, which affects how suspicious files such as internet downloads are handled; settings for behavior monitoring in real-time protection, which can stop suspicious or malicious system processes; and prevents deleting security intelligence updates or turning off Windows Defender antimalware protection entirely.
There are several important considerations with Tamper Protection. First, Tamper Protection does not prevent administrators from making changes to important security settings directly through the Windows Security application; Tamper Protection simply prevents third-party applications from changing those Windows settings. Second, Tamper Protection does not prevent or control how third-party antivirus or antimalware applications interoperate with the Windows Security application.
How do I enable or disable Tamper Protection in Windows 10?
Tamper Protection is enabled by default, but administrators can disable or reenable the feature as desired. Tamper Protection is presented as a single toggle switch in the Windows Security application, but it takes several steps to find the toggle. Administrators can access the toggle by first opening the Settings dialog -- clicking Start and selecting Settings from the Start menu. From Settings, they can select Windows Security, Virus & Threat Protection, and then Manage settings.
The Tamper Protection toggle should be visible, and administrators should be able to click on the toggle to turn it off or on. If the toggle is not visible, IT may need to update Windows 10. If Tamper Protection is turned off, users will see a small yellow warning symbol in the Windows Security application by the Virus & Threat Protection entry.
There is generally no need to disable Tamper Protection in Windows 10 unless it affects other validated tools. For example, Tamper Protection might block a known third-party tool such as ConfigureDefender from making changes to Windows Defender. Similarly, enterprise PCs that IT manages with comprehensive software installation policies may not require Tamper Protection.
Does Tamper Protection work with third-party security tools?
Tamper Protection prevents unauthorized changes to Windows Defender Antivirus settings through the system Registry. For example, when Tamper Protection is on, the DisableAntiSpyware group policy key in the Registry cannot disable Windows Defender Antivirus.
Some third-party security products, however, can make valid changes to security settings. Tamper Protection does work with third-party security products, and should ideally allow those validated third-party products to modify the settings guarded by Tamper Protection.
Tamper Protection uses real-time threat information to determine the potential risks of software and suspicious activities. IT can prevent "false positives" from Tamper Protection by accessing the Windows Security dialog and updating security intelligence to version 1.287.60.0 or later. Once IT admins update the system, Tamper Protection should continue to protect the system security settings in the Registry and log any attempts to modify those settings without generating errors.
Does Tamper Protection work with endpoint management tools?
Tamper Protection does work with endpoint management tools, but there are limits. The entire point of Tamper Protection is to prevent outside tools from changing Windows Security settings. With Tamper Protection on, administrators can potentially establish a centralized setting for Tamper Protection using management tools, but those other tools and platforms cannot change settings protected by Tamper Protection. Admins would need to manage those settings through Windows Security.
Unified endpoint management platforms such as Microsoft Intune, enterprise configuration management applications such as System Center Configuration Manager (SCCM), command-line instructions or scripts, the Windows System Image Manager configuration, Group Policy, and any other Windows Management Instrumentation tools and administrative roles cannot override Tamper Protection.
An organization with a Windows enterprise-class license such as a Microsoft Defender ATP license or computers running Windows 10 Enterprise E5 must opt in to global Tamper Protection. IT can only manage the feature through an Intune management console, which prevents local users from overriding Tamper Protection on managed systems.