As a follow up to our great podcast with Josh Bregman last week, @RodTrent suggested I write a blog about the Tamper Protection feature in Microsoft Defender for Endpoint.

As you all know, one of the things bad guys do when they compromise your environment is try to turn off your antivirus solution. This way they can get access to all your juicy good data yet go undetected. We’ve seen this behavior recently with NOBELIUM and several other advanced breaches.

Tamper protection was designed to prevent this problem (if you’re using Microsoft Defender Antivirus). Its job is to lock down Microsoft Defender Antivirus to prevent your security settings from being changed by an application or from someone changing registry settings or running a PowerShell command on your device.

With tamper protection enabled at an enterprise level, individual users can't change the setting. If you’re using a non-Microsoft antivirus application, don’t worry, it won’t affect anything.

Tamper protection is available for devices that are running one of the following operating systems:

• Windows 10 and 11 (including Enterprise multi-session)

• Windows Server 2022, Windows Server 2019, and Windows Server, version 1803 or later

• Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified solution)

• macOS versions: Big Sur (11) or later

It can be enabled in the security.microsoft.com portal or with Intune or SCCM.

• Documentation: Protect security settings with tamper protection

• Tech Community blog: Tamper protection is now generally available

• Tech Community blog: Enable tamper protection in Threat & Vulnerability Management

• Tech Community blog: Announcing tamper protection for Configuration Manager tenant attach clients

If you want to see what happens when someone turns on tamper protection and then to disable it, check out this blog on the Cloudbrother site. They do a great job showing you step by step how tamper protection works to block attempts to turn of Windows AV.