- How to change the PowerShell prompt - Wed, Mar 22 2023
- Trim characters from strings in PowerShell - Tue, Mar 14 2023
- Set Chrome, Firefox and Edge as default mail client (mailto handlers) - Mon, Mar 6 2023
If hackers want to permanently infiltrate a system by installing Trojans or other malware, security software like Microsoft Defender can prevent them from doing so. For this reason, they will try to disable it.
Freeze Defender to default configuration
Normally, Microsoft's virus scanner can be disabled without much effort. There is even a group policy for this purpose; you can also change the corresponding key in the registry directly.
However, the tamper protection introduced with Windows 10 1903 prevents the default configuration of Microsoft Defender from being changed or the tool from being disabled. For some time now, this option has been enabled by default and is also available on older systems down to Windows Server 2012 R2.
Windows 10 tamper protection monitors the following events, among others, and blocks any changes:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus
- Disabling cloud-delivered protection
- Removing security intelligence updates
- Changing threat severity actions
- Disabling script scanning
No management via local tools
The problem with managing tamper protection is that all local tools are considered insecure. If an attacker gains the privileges of a local admin, they would also be able to disable tamper protection. For this reason, it cannot be controlled by group policies, PowerShell, or directly editing the registry.
However, it is possible to query the status of this feature with PowerShell:
Get-MpComputerStatus | select IsTamperProtected
If it is active, then this property has the value True. If you manage tamper protection via the cloud, then the Defender portal provides a dashboard that displays all activities related to this feature.
The Defender dashboard shows incidents relating to tamper protection
Interactive configuration
On unmanaged PCs, users can interactively control tamper protection via the Settings app under Update & Security > Windows Security > Virus & Threat Protection > Virus & threat protection > Manage settings.
Link to the page where tamper protection can be configured
Users with local admin rights can disable it here. It is obvious that tamper protection offers limited value under these conditions. Those who have permission to disable Microsoft Defender can also do so with tamper protection.
Tamper protection is active by default and can be turned off interactively with admin rights
Turn on Windows 10 tamper protection in the cloud
For this reason, Microsoft provides central management of tamper protection using the cloud; however, this requires the corresponding subscriptions for Defender for Endpoint.
Users can change this setting globally through the M365 Defender Portal. This affects all devices associated with that tenant. On the client, the corresponding option is grayed out in the Settings app so that local admins can no longer change it.
If you manage Windows 10 tamper protection centrally, then it can no longer be turned off locally
Alternatively, if you don't want to switch Windows 10 tamper protection on or off across the board, you can use Intune or Configuration Manager 2006 with tenant attach. In this way, specific devices can be addressed in a targeted manner.
Turn on Windows 10 tamper protection using Intune
Conclusion
Windows 10 tamper protection prevents attackers from disabling Microsoft Defender to pursue their activities undisturbed. Since local admins should not be able to turn off this protection, Microsoft only provides cloud-based management. This should protect against unauthorized access. The interactive configuration on unmanaged devices can easily be abused by attackers as soon as they gain administrative rights. In this form, this feature offers little protection.
About the final sentence “The interactive configuration on unmanaged devices can easily be abused by attackers as soon as they gain administrative rights. In this form, this feature offers little protection” – as indicated, this implies the hacker has to be logged on interactively (console or RDP) and not only limited to connect through for example remote PowerShell. So for those hackers using remote shell or similar tools, even without cloud-based management, this is a serious hurdle when turned on.
Good point!
Pretty sure that’s just a way to force everyone to a higher Defender license in Azure. If every other AV product can have Tamper Protection with a simple password and control through some form of management tool, it seems hypocritical that the one they supply cannot be managed through Group Policy.