pixel_dreams - Fotolia
One of the greatest threats to enterprise PCs is malware -- or even innocuous applications -- that tamper with system configuration settings and potentially create new vulnerabilities and weaken the system against future attacks.
With the Windows 10 1903 release, Microsoft introduced Tamper Protection to the Windows Security application, which enables IT admins to make it more difficult for other applications to alter sensitive security settings on the PC. There are some caveats to using Tamper Protection in Windows 10, however, so IT admins should understand how it works.
What is Tamper Protection in Windows 10?
When enabled, Tamper Protection prevents changes to important system security configuration settings -- especially changes that are not made directly through the Windows Security application. The goal is to prevent malicious software -- or even third-party applications -- from changing important security settings in Windows Defender Antivirus and other tools. Tamper Protection is available for both Home and Enterprise versions of Windows 10.
When Tamper Protection is enabled, outside applications will no longer be able to change settings for real-time protection, which is part of the antimalware scanning feature of Microsoft Defender ATP; settings for Microsoft's Windows Defender Antivirus cloud-based malware protection services; settings for IOfficeAntiVirus, which affects how suspicious files such as internet downloads are handled; settings for behavior monitoring in real-time protection, which can stop suspicious or malicious system processes; and it prevents deleting security intelligence updates or turning off Windows Defender antimalware protection entirely.
There are several important considerations with Tamper Protection. First, Tamper Protection does not prevent administrators from making changes to important security settings directly through the Windows Security application; Tamper Protection simply prevents third-party applications from changing those Windows settings. Second, Tamper Protection does not prevent or control how third-party antivirus or antimalware applications interoperate with the Windows Security application.
Enabling and disabling Tamper Protection on an individual machine
Users with Windows 10 computers not managed by the organization''s IT staff can use the Windows Security application to turn Tamper Protection on or off as needed. This is a common scenario in remote or BYOD (bring your own device) environments.
Users will still need admin-level permissions on the system to change security settings, but computer owners usually possess admin-level access. Once logged into the computer, users can quickly access Tamper Protection with the following steps:
- Access the Taskbar and type defender into the search bar on the Taskbar.
- Select the Windows Security app from the search results.
- Select Virus and threat protection.
- Choose Virus and threat protection settings.
- Locate the Tamper Protection toggle and choose On or Off as desired.
The Tamper Protection toggle should be visible, and administrators should be able to click on the toggle to turn it off or on. If the toggle is not visible, IT may need to update Windows 10. If Tamper Protection is turned off, users will see a small yellow warning symbol in the Windows Security application by the Virus & Threat Protection entry.
Enabling and disabling Tamper Protection for your whole organization
When an IT organization is responsible for managing a fleet of Windows 10 user endpoints, IT admins can use Microsoft Intune to turn Tamper Protection on or off for all those managed computers through the Microsoft Endpoint Manager admin center portal. Administrators will need the correct permissions, such as global or security admin, to make changes to Tamper Protection.
Before accessing Tamper Protection, the organization must meet the following requirements:
- It must have the appropriate Intune licenses, such as Microsoft 365 E5.
- Windows 10 computers must be running versions 1709, 1803, 1809 or later.
- Organizations must use Windows security with security intelligence updated to version 1.287.60.0 or later.
- All machines must be using antimalware platform version 4.18.1906.3 and antimalware engine version 1.1.15500.X (or later).
With all requirements met, the actual process of accessing Tamper Protection is similar to accessing it for individual users:
- Access the Microsoft Endpoint Manager admin center and sign in with the appropriate credentials.
- Select Devices and choose Configuration Profiles.
- Create a profile with the following characteristics:
Platform: Windows 10 and later
Profile type: Endpoint protection
Category: Microsoft Defender Security Center
Tamper Protection: Enabled (or Disabled)
There is generally no need to disable Tamper Protection in Windows 10 unless it affects other validated tools. For example, Tamper Protection might block a known third-party tool such as ConfigureDefender from making changes to Windows Defender. Similarly, enterprise PCs that IT manages with comprehensive software installation policies may not require Tamper Protection.
Using PowerShell to check Tamper Protection
Windows PowerShell isn't just a powerful and versatile scripting platform; it's also a management console capable of changing and checking vital settings within a system or environment. PowerShell uses a vast array of command scripts (called cmdlets) to execute commands and retrieve details. PowerShell can quickly report on the status of Tamper Protection with these steps:
- Launch the PowerShell application.
- Enter the Get-MpComputerStatus PowerShell cmdlet.
- Review the list of results. If the value for IsTamperProtected is true, then Tamper Protection is enabled. If the result is false, Tamper Protection is disabled.
Viewing tampering attempts
Security has little value if tamper attempts or other attacks are left unseen and unreported. Administrators must have some means of monitoring or reviewing the presence of potential attacks such as tampering.
The Microsoft Defender Security Center offers protection though a cloud subscription service called Microsoft Defender for Endpoint. It's a dashboard that displays security issues that include tamper attempts that are flagged with details logged for further investigation. Organizations will need to subscribe to the Microsoft Defender for Endpoint service.
Does Tamper Protection work with third-party security tools?
Tamper Protection prevents unauthorized changes to Windows Defender Antivirus settings through the system Registry. For example, when Tamper Protection is on, the DisableAntiSpyware group policy key in the Registry cannot disable Windows Defender Antivirus.
Some third-party security products, however, can make valid changes to security settings. Tamper Protection does work with third-party security products, and should ideally allow those validated third-party products to modify the settings guarded by Tamper Protection.
Tamper Protection uses real-time threat information to determine the potential risks of software and suspicious activities. IT can prevent "false positives" from Tamper Protection by accessing the Windows Security dialog and updating security intelligence to version 1.287.60.0 or later. Once IT admins update the system, Tamper Protection should continue to protect the system security settings in the Registry and log any attempts to modify those settings without generating errors.
Does Tamper Protection work with endpoint management tools?
Tamper Protection does work with endpoint management tools, but there are limits. The entire point of Tamper Protection is to prevent outside tools from changing Windows Security protection settings. With Tamper Protection on, administrators can potentially establish a centralized setting for Tamper Protection using management tools, but those other tools and platforms cannot change settings protected by Tamper Protection. Admins would need to manage those protection settings through Windows Security.
Unified endpoint management platforms such as Microsoft Intune, enterprise configuration management applications such as System Center Configuration Manager, command-line instructions or scripts, the Windows System Image Manager configuration, Group Policy, and any other Windows Management Instrumentation tools and administrative roles cannot override Tamper Protection.
An organization with a Windows enterprise-class license, such as a Microsoft Defender ATP license, or computers running Windows 10 Enterprise E5 must opt in to global Tamper Protection. IT can only manage the feature through an Intune management console, which prevents local users from overriding Tamper Protection on managed systems.