Microsoft has released its security configuration baseline settings for Windows 11. Although most of the baseline settings are the same as those in Windows 10, the new security baseline settings indicate that admins should enable Microsoft Defender for Endpoint’s Tamper Protection feature.
How Tamper Protection Works
Before I explain how to enable Tamper Protection, I want to take just a moment and talk about what it is and why it’s important.
Every malware attack is different, but many types of malware are designed to disable any antivirus protection that may be present on the computer on which the malware is running. This practice was especially common in the days of Windows XP, but it is still used today. Attackers sometimes use automated malware to shut down a machine’s antivirus protection, or attacks may be human-initiated. An attacker might, for example, manually shut down a computer’s defenses before starting a ransomware attack in an effort to help evade detection.
As its name implies, Tamper Protection is designed to prevent malware or human attackers from disabling various Windows security mechanisms such as Windows Defender’s malware protection. When you enable Tamper Protection, what you are really doing is locking Microsoft Defender Antivirus so that it cannot be shut down or reconfigured by way of the registry editor, PowerShell or Group Policy. It is worth noting, however, that Tamper Protection is specific to Microsoft Defender and generally does not have any effect on third-party anti-malware software.
Enabling Tamper Protection
If you need to enable Tamper Protection on an individual Windows 11 device, you can do so by opening Settings and then selecting the Privacy and Security tab. When the Privacy and Security screen opens, click on Windows Security, followed by Virus and Threat Protection. Now, locate the Virus and Threat Protection Settings section and then click on the Manage Settings link. The resulting Manage Settings page contains an option to turn on the Tamper Protection feature, as shown in Figure 1.
This is where you go to enable Tamper Protection in Windows 11.
Incidentally, the Tamper Protection feature also exists in Windows 10. You can access it by opening Settings and then clicking on Update and Security. From there, click on the Windows Security tab, and then click the Open Windows Security button. Now, click on Virus and Threat Protection, and then click on the Manage Settings link found in the Virus and Threat Protection Settings section. This will take you to the screen shown in Figure 2, where you can enable Tamper Protection.
This is where you can find the Windows 10 setting to enable Tamper Protection.
Of course, in an enterprise environment, it’s a good idea to centrally enable Tamper Protection. Microsoft’s preferred method for doing so involves using Intune: Open the Microsoft Endpoint Manager Admin Center and then select the Devices tab. Next, click on Windows in the Platform section, and then choose the option to create a new configuration profile. The profile that you create should apply to Windows 10 and Later PCs, and you should set the profile type to Template. Choose the Endpoint Protection option from the list of templates, as shown in Figure 3.
The Tamper Protection setting exists within the Endpoint Protection template.
Click Create, and you will be taken to the Endpoint Protection wizard. The first thing that you will need to do is to assign a name and an optional description for the profile that you are creating. Click Next, and you will be taken to the Configuration Settings screen.
This screen contains several different categories, each of which contain settings. Categories include Microsoft Defender Firewall, Windows Encryption and Windows Defender Exploit Guard. You will need to expand the Microsoft Defender Security Center section and then enable the Tamper Protection setting, as shown in Figure 4.
The Tamper Protection setting is included in the Microsoft Defender Security Center section.
When you are done, enable any additional security settings that you want to use, and then click Next. You will then be prompted to apply the policy to one or more groups. Now, click Next a couple of times, followed by Create to create the policy.
Although Intune seems to be Microsoft’s preferred mechanism for enabling Tamper Protection, there is another option. You can also enable Tamper Protection through the Microsoft 365 Defender Portal. You can find the setting at Settings | Endpoints | Advanced Features | Tamper Protection.