When hackers gain access to a computer, one of their first goals is to disable the system's security mechanisms. This includes, in particular, turning off Microsoft Defender. Windows 10 tamper protection is intended to prevent this, but it only offers cloud-based management.
Avatar

If hackers want to permanently infiltrate a system by installing Trojans or other malware, security software like Microsoft Defender can prevent them from doing so. For this reason, they will try to disable it.

Freeze Defender to default configuration

Normally, Microsoft's virus scanner can be disabled without much effort. There is even a group policy for this purpose; you can also change the corresponding key in the registry directly.

However, the tamper protection introduced with Windows 10 1903 prevents the default configuration of Microsoft Defender from being changed or the tool from being disabled. For some time now, this option has been enabled by default and is also available on older systems down to Windows Server 2012 R2.

Windows 10 tamper protection monitors the following events, among others, and blocks any changes:

  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling antivirus
  • Disabling cloud-delivered protection
  • Removing security intelligence updates
  • Changing threat severity actions
  • Disabling script scanning

No management via local tools

The problem with managing tamper protection is that all local tools are considered insecure. If an attacker gains the privileges of a local admin, they would also be able to disable tamper protection. For this reason, it cannot be controlled by group policies, PowerShell, or directly editing the registry.

However, it is possible to query the status of this feature with PowerShell:

Get-MpComputerStatus | select IsTamperProtected

If it is active, then this property has the value True. If you manage tamper protection via the cloud, then the Defender portal provides a dashboard that displays all activities related to this feature.

The Defender dashboard shows incidents relating to tamper protection

The Defender dashboard shows incidents relating to tamper protection

Interactive configuration

On unmanaged PCs, users can interactively control tamper protection via the Settings app under Update & Security > Windows Security > Virus & Threat Protection > Virus & threat protection > Manage settings.

Link to the page where tamper protection can be configured

Link to the page where tamper protection can be configured

Users with local admin rights can disable it here. It is obvious that tamper protection offers limited value under these conditions. Those who have permission to disable Microsoft Defender can also do so with tamper protection.

Tamper protection is active by default and can be turned off interactively with admin rights

Turn on Windows 10 tamper protection in the cloud

For this reason, Microsoft provides central management of tamper protection using the cloud; however, this requires the corresponding subscriptions for Defender for Endpoint.

Users can change this setting globally through the M365 Defender Portal. This affects all devices associated with that tenant. On the client, the corresponding option is grayed out in the Settings app so that local admins can no longer change it.

If you manage Windows 10 tamper protection centrally, then it can no longer be turned off locally

If you manage Windows 10 tamper protection centrally, then it can no longer be turned off locally

Alternatively, if you don't want to switch Windows 10 tamper protection on or off across the board, you can use Intune or Configuration Manager 2006 with tenant attach. In this way, specific devices can be addressed in a targeted manner.

Turn on Windows 10 tamper protection using Intune

Turn on Windows 10 tamper protection using Intune

Conclusion

Windows 10 tamper protection prevents attackers from disabling Microsoft Defender to pursue their activities undisturbed. Since local admins should not be able to turn off this protection, Microsoft only provides cloud-based management. This should protect against unauthorized access. The interactive configuration on unmanaged devices can easily be abused by attackers as soon as they gain administrative rights. In this form, this feature offers little protection.

avatar
3 Comments
  1. Avatar

    About the final sentence “The interactive configuration on unmanaged devices can easily be abused by attackers as soon as they gain administrative rights. In this form, this feature offers little protection” – as indicated, this implies the hacker has to be logged on interactively (console or RDP) and not only limited to connect through for example remote PowerShell. So for those hackers using remote shell or similar tools, even without cloud-based management, this is a serious hurdle when turned on.

  2. Avatar
    Jim 1 year ago

    Pretty sure that’s just a way to force everyone to a higher Defender license in Azure. If every other AV product can have Tamper Protection with a simple password and control through some form of management tool, it seems hypocritical that the one they supply cannot be managed through Group Policy.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account