News

Microsoft Defender ATP Gets Tamper Protection

• By Kurt Mackie
• 10/15/2019

An optional "tamper protection" security feature is now generally available to users of Microsoft Defender Advanced Threat Protection (ATP) with E5 subscription plans.

In preview since March, tamper protection prevents changes from being made to Windows 10 client security features by malicious applications or even by local administrators. The feature just works with Windows 10 version 1903 or later clients, and it requires using the Windows Defender Antivirus program.

General availability means that tamper protection is deemed ready for use by organizations. However, an IT pro with a "global admin, security admin, or security operations" role will need to enable it first before it takes effect, according to Microsoft's documentation. It's not enabled by default for organizations.

Consumer Version
For consumer users, tamper protection "will be enabled by default" on Windows 10 Home edition versions. It's currently being rolled out to them "gradually," according to Microsoft's announcement, which did not provide timeline details. An early review of the consumer version can be found in this Redmond article.

Tamper protection seems like a pretty basic security protection for organizations, as well as for consumers. However, not every organization may have the licensing to use it.

Organizational Requirements
Tamper protection is just for organizations with Microsoft Defender ATP E5 licensing. They'll also need to be using the Microsoft Intune client management service to turn on tamper protection. Users of System Center Configuration Manager (SCCMM) are out of luck as Microsoft doesn't currently support tamper protection with that management tool.

It's also not possible to turn on tamper protection using Group Policy. Microsoft's documentation flatly rejected the notion that Group Policy could be used with tamper protection in the future.

The requirements to use tamper protection include having the following in place:

• A subscription to Microsoft Defender ATP E5 (the E3 plan isn't supported)
• A subscription to Microsoft Intune
• Use of Windows Defender Antivirus (version 4.18.1906.3 or above) with security intelligence updates turned on
• Use of Windows 10 version 1903 or later

Tamper protection will not work on client devices that aren't using Windows Defender Antivirus. Surprisingly, the tamper protection feature does not include support for Windows Server products.

Tamper protection won't have an effect on "third-party antivirus registration," Microsoft promised. IT pros using tamper protection will get alerts when there are attempts to alter security features. These alerts will be available through the Microsoft Defender ATP management portal.