Windows Defender Deaktivieren Windows 10 1709

Skip to main content

Protect security settings with tamper protection

• Article
• 07/eleven/2022
• 13 minutes to read

In this article

Applies to:

• Microsoft Defender for Endpoint Plan ane
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender Antivirus

Platforms

• Windows

Tamper protection is available for devices that are running one of the post-obit versions of Windows:

• Windows 11
• Windows eleven Enterprise multi-session
• Windows 10
• Windows 10 Enterprise multi-session
• Windows Server 2022
• Windows Server 2019
• Windows Server, version 1803 or afterwards
• Windows Server 2016
• Windows Server 2012 R2

Overview

During some kinds of cyber attacks, bad actors try to disable security features, such equally antivirus protection, on your machines. Bad actors like to disable your security features to get easier access to your information, to install malware, or to otherwise exploit your information, identity, and devices. Tamper protection helps forestall these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such equally:

• Disabling virus and threat protection
• Disabling real-time protection
• Turning off behavior monitoring
• Disabling antivirus protection, such as IOfficeAntivirus (IOAV)
• Disabling cloud-delivered protection
• Removing security intelligence updates
• Disabling automatic actions on detected threats
• Suppressing notifications in the Windows Security app
• Disabling scanning of athenaeum and network files

How it works

Tamper protection substantially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being inverse through apps and methods such as:

• Configuring settings in Registry Editor on your Windows device
• Changing settings through PowerShell cmdlets
• Editing or removing security settings through Grouping Policy

Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how not-Microsoft antivirus apps annals with the Windows Security app. If your system is using Windows 10 Enterprise E5, individual users tin't alter the tamper protection setting; in those cases, tamper protection is managed by your security team.

What exercise you want to do?

To perform this task...	See this section...
Manage tamper protection across your tenant Use the Microsoft 365 Defender portal to turn tamper protection on or off	Manage tamper protection for your organization using the Microsoft 365 Defender
Fine-tune tamper protection settings in your organisation Use Intune (Microsoft Endpoint Manager) to plow tamper protection on or off. You can configure tamper protection for some or all users with this method.	Manage tamper protection for your system using Microsoft Endpoint Managing director
Turn tamper protection on (or off) for your organization with Configuration Manager	Manage tamper protection for your organisation using tenant adhere with Configuration Manager, version 2006
Turn tamper protection on (or off) for an individual device	Manage tamper protection on an individual device
View details about tampering attempts on devices	View information about tampering attempts
Review your security recommendations	Review security recommendations
Review the list of frequently asked questions (FAQs)	Browse the FAQs

Potential dependency on cloud protection

Depending on the method or management tool yous utilize to enable tamper protection, there might be a dependency on deject-delivered protection Cloud-delivered protection is also referred to as cloud protection, or Microsoft Avant-garde Protection Service (MAPS).

The following table provides details on the methods, tools, and dependencies.

How tamper protection is enabled	Dependency on cloud protection
Microsoft Intune	No
Microsoft Endpoint Configuration Manager with Tenant Attach	No
Microsoft 365 Defender portal (https://security.microsoft.com)	Yes

Manage tamper protection for your organisation using the Microsoft 365 Defender portal

Tamper protection can be turned on or off for your tenant using the Microsoft 365 Defender portal (https://security.microsoft.com). Here are a few points to keep in mind:

• Currently, the option to manage tamper protection in the Microsoft 365 Defender portal is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis. To opt in, in the Microsoft 365 Defender portal, choose Settings > Endpoints > Advanced features > Tamper protection.
• When you use the Microsoft 365 Defender portal to manage tamper protection, you do not have to utilize Intune or the tenant attach method.
• When you manage tamper protection in the Microsoft 365 Defender portal, the setting is applied tenant wide, affecting all of your devices that are running Windows ten, Windows 10 Enterprise multi-session, Windows 11, Windows 11 Enterprise multi-session, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 or Windows Server 2022. To fine-tune tamper protection (such as having tamper protection on for some devices merely off for others), utilise either Microsoft Endpoint Manager or Configuration Managing director with tenant attach.
• If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft 365 Defender portal.

Requirements for managing tamper protection in the Microsoft 365 Defender portal

• You must accept appropriate permissions assigned, such as global admin, security admin, or security operations.

• Your Windows devices must be running 1 of the post-obit versions of Windows:

  • Windows 11
  • Windows xi Enterprise multi-session
  • Windows ten
  • Windows x Enterprise multi-session
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server, version 1803 or later on
  • Windows Server 2016
  • Windows Server 2012 R2

For more information most releases, meet Windows 10 release information.

• Your devices must exist onboarded to Microsoft Defender for Endpoint.
• Your devices must exist using anti-malware platform version 4.18.2010.7 (or above) and anti-malware engine version 1.1.17600.5 (or above). (Manage Microsoft Defender Antivirus updates and utilise baselines.)
• Cloud-delivered protection must exist turned on.

Note

When tamper protection is enabled via the Microsoft 365 Defender portal, cloud-delivered protection is required, and then that the enabled state of tamper protection tin can be controlled.
Starting with the November 2021 update (platform version four.eighteen.2111.v), if deject-delivered protection is not turned on for a device and tamper protection is turned on in the Microsoft 365 Defender portal, and so deject-delivered protection will exist automatically turned on for that device along with tamper protection.

Plow tamper protection on (or off) in the Microsoft 365 Defender portal

1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.

2. Choose Settings > Endpoints.

3. Go to Full general > Advanced features, and so plow tamper protection on.

Manage tamper protection for your organization using Microsoft Endpoint Manager

If your organization uses Microsoft Endpoint Manager (MEM) you can turn tamper protection on (or off) for your organisation in the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com). Use Intune when you want to fine-melody tamper protection settings. For case, if you lot desire to enable tamper protection on some devices, but not all, use Intune.

Requirements for managing tamper protection in Endpoint Manager

• You must have appropriate permissions assigned, such as global admin, security admin, or security operations.
• Your organization uses Microsoft Endpoint Manager to manage devices. (Microsoft Endpoint Manager (MEM) licenses are required; MEM is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, Microsoft 365 Business organisation Premium, Microsoft 365 F1/F3, Microsoft 365 Government G3/G5, and corresponding instruction licenses.)
• Your Windows devices must be running Windows 11 or Windows 10 1709, 1803, 1809, or later. (For more information about releases, see Windows 10 release information.)
• You must be using Windows security with security intelligence updated to version ane.287.lx.0 (or to a higher place).
• Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or to a higher place). (Manage Microsoft Defender Antivirus updates and apply baselines.)

Turn tamper protection on (or off) in Microsoft Endpoint Manager

1. In the Microsoft Endpoint Manager admin eye, become to Endpoint security > Antivirus, and so choose + Create Policy.

   • In the Platform list, select Windows 10 and afterward.
   • In the Profile list, select Windows Security experience.

2. Create a contour that includes the post-obit setting:

   • Enable tamper protection to prevent Microsoft Defender being disabled: Enable

3. Assign the profile to ane or more groups.

Manage tamper protection for your organisation with Configuration Manager, version 2006

If you lot're using version 2006 of Configuration Manager, you tin manage tamper protection settings on Windows 10, Windows 10 Enterprise multi-session, Windows eleven, Windows 11 Enterprise multi-session, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022 by using a method called tenant attach. Tenant attach enables you to sync your on-bounds-just Configuration Manager devices into the Microsoft Endpoint Manager admin eye, then deliver endpoint security configuration policies to on-premises collections & devices.

Notation

The process tin can be used to extend tamper protection to devices running Windows 10, Windows 10 Enterprise multi-session, Windows 11, Windows 11 Enterprise multi-session, Windows Server 2019, and Windows Server 2022. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. For Windows Server 2012 R2 running the modern, unified solution version 2203 of Configuration Manager is required.

1. Prepare tenant attach. To learn more, run into Get started: Create and deploy endpoint security policies from the admin middle.

2. In the Microsoft Endpoint Director admin center, go to Endpoint security > Antivirus, then cull + Create Policy.

   • In the Platform listing, select Windows 10, Windows 11, and Windows Server (ConfigMgr).
   • In the Contour list, select Windows Security feel (preview).

3. Deploy the policy to your device collection.

Need help with this method?

Meet the following resources:

• Settings for the Windows Security feel profile in Microsoft Intune
• Tech Customs Weblog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients

Manage tamper protection on an individual device

Note

Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry. To help ensure that tamper protection doesn't interfere with non-Microsoft security products or enterprise installation scripts that modify these settings, go to Windows Security and update Security intelligence to version ane.287.60.0 or later. (Meet Security intelligence updates.) Afterward you lot've made this update, tamper protection continues to protect your registry settings, and logs attempts to change them without returning errors.

If you are a home user, or you are not subject to settings managed past a security team, you can utilise the Windows Security app to manage tamper protection. You must take appropriate admin permissions on your device to exercise change security settings, such as tamper protection.

Hither'southward what yous see in the Windows Security app:

1. Select Start, and showtime typing Security. In the search results, select Windows Security.

2. Select Virus & threat protection > Virus & threat protection settings.

3. Set Tamper Protection to On or Off.

Are you lot using Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809?

If yous are using Windows Server 2012 R2 using the modern unified solution, Windows Server 2016, Windows x version 1709, 1803, or 1809, you won't meet Tamper Protection in the Windows Security app. Instead, you lot tin can use PowerShell to determine whether tamper protection is enabled.

On Windows Server 2016, the Settings app will not accurately reflect the condition of existent-time protection when tamper protection is enabled.

Utilise PowerShell to determine whether tamper protection and existent-time protection are turned on

1. Open the Windows PowerShell app.

2. Use the Get-MpComputerStatus PowerShell cmdlet.

3. In the list of results, expect for IsTamperProtected or RealTimeProtectionEnabled. (A value of true means tamper protection is enabled.)

View data virtually tampering attempts

Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you lot're part of your organization'south security team, yous can view data about such attempts, and and so take appropriate actions to mitigate threats.

When a tampering attempt is detected, an alert is raised in the Microsoft 365 Defender portal (https://security.microsoft.com).

Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.

Review your security recommendations

Tamper protection integrates with Threat & Vulnerability Management capabilities. Security recommendations include making sure tamper protection is turned on. For case, you lot can search on tamper. In the results, you can select Turn on Tamper Protection to learn more and turn it on.

To larn more than about Threat & Vulnerability Direction, see Dashboard insights - threat and vulnerability direction.

Oft asked questions

On which versions of Windows can I configure tamper protection?

• Windows eleven
• Windows 11 Enterprise multi-session
• Windows 10 Bone 1709, 1803, 1809, or subsequently together with Microsoft Defender for Endpoint.
• Windows 10 Enterprise multi-session

If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can exist extended to Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. Come across Tenant attach: Create and deploy endpoint security Antivirus policy from the admin eye (preview).

Will tamper protection bear upon non-Microsoft antivirus registration in the Windows Security app?

No. Non-Microsoft antivirus offerings will continue to register with the Windows Security application.

What happens if Microsoft Defender Antivirus is not active on a device?

Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive style. In these cases, tamper protection will continue to protect the service and its features.

How do I turn tamper protection on or off?

If you lot are a home user, see Manage tamper protection on an individual device.

If you are an organization using Microsoft Defender for Endpoint, you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:

• Manage tamper protection using Microsoft Endpoint Manager
• Manage tamper protection using the Microsoft 365 Defender portal

How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus with Group Policy?

If you are currently using Intune to configure and manage tamper protection, y'all should continue using Intune.

Group policy doesn't use to tamper protection. Changes made to Microsoft Defender Antivirus settings using Group Policy are ignored when tamper protection is turned on, or when tamper protection is configured with Intune.

If nosotros utilise Microsoft Intune to configure tamper protection, does information technology apply only to the entire organization?

You accept flexibility in configuring tamper protection with Intune. You tin target your unabridged organization, or select specific devices and user groups.

Can I configure tamper protection with Microsoft Endpoint Configuration Managing director?

If y'all are using tenant attach, you lot tin use Microsoft Endpoint Configuration Manager. See the following resources:

• Manage tamper protection for your organization with Configuration Manager, version 2006
• Tech Community web log: Announcing Tamper Protection for Configuration Manager Tenant Adhere clients

I take the Windows E3 enrollment. Tin I use configuring tamper protection in Intune?

Currently, configuring tamper protection in Intune is only available for customers who accept Microsoft Defender for Endpoint.

I'm an enterprise customer. Can local admins change tamper protection on their devices?

No. Local admins cannot change or modify tamper protection settings.

What happens if my device is onboarded with Microsoft Defender for Endpoint and so goes into an off-boarded state?

If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.

If the status of tamper protection changes, are alerts shown in the Microsoft 365 Defender portal?

Aye. The alarm is shown in https://security.microsoft.com under Alerts.

Your security operations squad can also employ hunting queries, such every bit the post-obit example:

AlertInfo|where Title == "Tamper Protection bypass"

View information about tampering attempts.

See as well

• Help secure Windows PCs with Endpoint Protection for Microsoft Intune
• Get an overview of Microsoft Defender for Endpoint
• Ameliorate together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint
• Enable troubleshooting style
• Troubleshooting way scenarios

Feedback

Submit and view feedback for

Source: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection

Posted by: husebycoust1990.blogspot.com

Share this post