TAMPER PROTECTION BACKGROUND:

windows defender virus and threat protection tamper protection is off turn onThe first thing most malware tries to do is disable your antivirus, so Microsoft has introduced a new feature called TAMPER PROTECTION that blocks all methods of disabling Windows Defender Antivirus except through the Windows Security Console GUI or Microsoft’s InTune cloud service.

Specifically, if Tamper Protection is enabled it can not be disabled via:

  • command line script
  • PowerShell
  • Group Policy – this may change in the future
  • System Center Endpoint Protection (SCCM) – this may change in the future
  • manually changing the registry

An important note is that:

“…Tamper Protection doesn’t affect how third-party antivirus apps work or how they register with Windows Security.” SOURCE

TAMPER PROTECTION REGISTRY ENTRIES:

Once Windows Defender Tamper Protection is enabled you cannot change it using the registry, even if you take ownership of the relevant key.  However, you can use the registry to turn it on and to figure out if Tamper Protection is on:

HKLM > SOTWARE > MICROSOFT > WINDOWS DEFENDER > FEATURES

TamperProtection Off = 0  – applies to Windows Home & Pro
TamperProtection On = 1  – applies to Windows Home & Pro
TamperProtection disabled = 2  – applies to Windows Enterprise & Education

TAMPER PROTECTION DOES NOT APPEAR IN WINDOWS ENTERPRISE

Windows Defender Tamper Protection MissingIn my case, I had clicked TURN ON on a fresh Win10 Enterprise and then Tamper Protection option disappeared from the Windows Security Center.

I found the registry showed TamperProtection = 2 which was not one of the options I was aware of.    Even more odd was that I could find TAMPER PROTECTION in the START search but it took me to the Security Center without Tamper Protection options.  That was quite unexpected.

After goofing with this for a few hours, I called Microsoft Partner Technical Support and within a day had a fantastic response from the tech:

“…On Enterprise SKU the feature is disabled by default and is expected to be managed by GPO, SCCM, and Intune etc. However GPO and SCCM functionality has not been enabled as of yet, and only Intune works. It also must be a machine onboarded by Defender ATP, so it needs Intune, WDATP, and be an enterprise SKU to use with an E5 license if you wish to preview it.

Without all 3, you cannot even turn it on yet on the Enterprise SKU if the client is managed.

Managed is defined as being a part of a domain. I’m told that you can enable tamper protection on an Enterprise SKU if it is not domain joined, but this functionality may be broken as of now (August 2019) but they are expecting it to work that way in the end. We have raised the concern with our developer teams and also about the whole interface confusion and they will take appropriate steps to correct this so it’s not so confusing.

0x2 in the registry means that the SKU is Killbitted meaning it is NOT enabled. Even though you may have enabled it in the GUI initially. It’s still not enabled. Once it is set to 0x2 it cannot be changed until the conditions above with all 3 items are met…

 


3 Comments

Ben · February 17, 2020 at 3:06 am

Hi, I’m also struggling with tamper protection and GPOs. When tamper protection registry value is ‘1’ (and not changeable by admin), GPOs pretend to work (they appear in gpresult –> applied GPOs) but its content (settings) are not listed/used (also seen in gpresult). Only when I disable tamper protection (in German: Manipulationsschutz) via GUI all GPO Settings are applied as they should.
Do you have any ideas how to solve it? Editing the regkey via GPO doesn’t work, changing regkey via software distribution (SYSTEM account) does not work reliable (or Maybe is overwritten instantly). Manual changing in GUI is not very helpful when deploying remote…

Testing with Win10x64_1909, German, Enterprise Edition, Domain Member).

Thanks,
Ben

Paolo Bragagni · January 21, 2020 at 7:51 am

any news?

Andreas · November 25, 2019 at 2:13 am

I originally had Tamper Protection turned Off (TamperProtection = 0)
After turning it on in Windows Security, the Registry Entry jumped to 5
After disabling it again, it jumped to 4.
After that it toggles between 4 and 5

OS is Windows 10 1909 Pro (Standalone Device, not in Domain, not using Microsoft Account, German Language)

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *