- LAPS in Windows 11: Password encryption and DSRM account management - Wed, Jun 29 2022
- Install subsystem for Linux 2 (WSL2) on Windows Server - Wed, Jun 22 2022
- Next version of Exchange to arrive in 2025; meanwhile, new features for Exchange 2019 - Fri, Jun 10 2022
If hackers want to permanently infiltrate a system by installing Trojans or other malware, security software like Microsoft Defender can prevent them from doing so. For this reason, they will try to disable it.
Freeze Defender to default configuration ^
Normally, Microsoft's virus scanner can be disabled without much effort. There is even a group policy for this purpose; you can also change the corresponding key in the registry directly.
However, the tamper protection introduced with Windows 10 1903 prevents the default configuration of Microsoft Defender from being changed or the tool from being disabled. For some time now, this option has been enabled by default and is also available on older systems down to Windows Server 2012 R2.
Windows 10 tamper protection monitors the following events, among others, and blocks any changes:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus
- Disabling cloud-delivered protection
- Removing security intelligence updates
- Changing threat severity actions
- Disabling script scanning
No management via local tools ^
The problem with managing tamper protection is that all local tools are considered insecure. If an attacker gains the privileges of a local admin, they would also be able to disable tamper protection. For this reason, it cannot be controlled by group policies, PowerShell, or directly editing the registry.
However, it is possible to query the status of this feature with PowerShell:
Get-MpComputerStatus | select IsTamperProtected
If it is active, then this property has the value True. If you manage tamper protection via the cloud, then the Defender portal provides a dashboard that displays all activities related to this feature.
Interactive configuration ^
On unmanaged PCs, users can interactively control tamper protection via the Settings app under Update & Security > Windows Security > Virus & Threat Protection > Virus & threat protection > Manage settings.
Users with local admin rights can disable it here. It is obvious that tamper protection offers limited value under these conditions. Those who have permission to disable Microsoft Defender can also do so with tamper protection.
Tamper protection is active by default and can be turned off interactively with admin rights
Turn on Windows 10 tamper protection in the cloud ^
For this reason, Microsoft provides central management of tamper protection using the cloud; however, this requires the corresponding subscriptions for Defender for Endpoint.
Users can change this setting globally through the M365 Defender Portal. This affects all devices associated with that tenant. On the client, the corresponding option is grayed out in the Settings app so that local admins can no longer change it.
Alternatively, if you don't want to switch Windows 10 tamper protection on or off across the board, you can use Intune or Configuration Manager 2006 with tenant attach. In this way, specific devices can be addressed in a targeted manner.
Windows 10 tamper protection prevents attackers from disabling Microsoft Defender to pursue their activities undisturbed. Since local admins should not be able to turn off this protection, Microsoft only provides cloud-based management. This should protect against unauthorized access. The interactive configuration on unmanaged devices can easily be abused by attackers as soon as they gain administrative rights. In this form, this feature offers little protection.