Windows Defender Tamper Protection with Intune / MEM
As we have been reading about many of the advanced threats we see today do try to turn off and tamper with protections that are active on our endpoints.
With Windows Defender you have the option to enable Tamper Protection to make your Windows Defender configuration more safe.
With the protection the client is safeguarded from attempts to disable
- Virus and Threat Protection and IOAV
- Real-time Protection
- Cloud-delivered protection
- Behavior monitoring
- Removal of Security Intelligence Updates
Of course you should not run as local admin as you expose your machine to other risks but this protection helps in some of those scenarios, there are of course other means an attacker can circumvent being detected and that why we strongly recommend adding EDR capabilities to your endpoint security strategy.
To turn this on you simply make sure your machines are managed
You can find the setting under Windows 10 and later > Endpoint Protection and Category > Microsoft Defender Security Center > Tamper Protection
Once you have enabled Tamper Protection assign it to your Endpoints.
On the endpoint you should be able to see that Tamper Protection is turned on in the Windows Security Center
If you are running a early version of Windows 10 you need to have atleast 1709 for this to work and for 1709-1809 you will not see this in the Security Center and need to verify this with powershell and look for the value “isTamperProtected” set to True
You will find more information here on the official documentation and please note while you configure this it will disable your possibilities to manage Defender with Group Policies. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection