Make sure Tamper Protection is turned on

Published Aug 28 2021 01:50 PM 7,427 Views

Tamper protection in Microsoft Defender for Endpoint (MDE) helps protect organizations like yours from unwanted changes to your security settings by unauthorized users. Tamper protection prevents malicious actors from turning off threat protection features, such as antivirus protection, and includes detection of, and response to tampering attempts. Tamper protection is available to customers ranging from consumers to enterprise organizations. If you haven’t already done so, turn on tamper protection now to help prevent attackers from disabling your antivirus and antimalware protection.


Why tamper protection is so important

Turning off anti-tampering measures, such as tamper protection, is often the first step in a ransomware, supply chain, or other Advanced Persistent Threat (APT) attack. (See our example later in this article.) By hardening against tampering, you can help prevent breaches from the outset. Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and other methods, such as registry key modifications, PowerShell cmdlets, Group Policy, and so on. Having tamper protection on is one of the most critical tools in your fight against ransomware.


Note: Because tamper protection is so critical in helping to protect against ransomware, we have taken the approach to enable it as on by default for all new Microsoft Defender for Endpoint tenants for some time now.


What to expect when tamper protection is enabled

In a digital estate where tamper protection is enabled, malicious apps, users, or admins are prevented from taking unauthorized or unintentional actions such as:

  • Disabling virus and threat protection
  • Disabling real-time protection
  • Turning off behavior monitoring
  • Disabling antivirus (such as IOfficeAntivirus (IOAV))
  • Disabling cloud-delivered protection
  • Removing security intelligence updates
  • Change threat severity actions (config name: ThreatSeverityDefaultAction)
  • Disable script scanning (config name: DisableScriptScanning)


Note: Tamper protection does not break your Group Policy Objects or Mobile Device Management configurations and scripts that are deployed through your security management solutions. Also, any unauthorized tampering (intentional or unintentional) with the reg key will be ignored by Defender for Endpoint.


Methods to manage tamper protection

Depending on your subscription and endpoint operating systems, you can choose from several methods to manage tamper protection. The following table lists the default state for different environments and ways to configure tamper protection in your organization.



Tamper protection state   

Methods to manage tamper protection





Microsoft 365 E5/ Education A5 - New Tenants 





On by default   

- Microsoft Endpoint Manager: Intune for Windows 10 devices onboarded to Microsoft Defender for Endpoint (Defender for Endpoint)


- Microsoft Endpoint Manager: Configuration Manager Tenant attach for Windows Server 2016 & 2019 and Windows 10  


- Microsoft 365 Defender portal ( under advanced feature settings for endpoints (global setting)  



Microsoft 365 E5/ Education A5 - Existing Tenants  

Off by default, but customers can opt-in  


An example of tamper protection in action

As mentioned in the recent blog, Hunting down LemonDuck and LemonCat attacks, tamper protection helps prevent robust malware like LemonDuck from automatically disabling Microsoft Defender for Endpoint real-time monitoring and protection. The following diagram outlines the LemonDuck attack chain. Notice that in the Evasion phase, antimalware protection is disabled.





Unchecked, malware like LemonDuck can take actions that could, in effect, disable protection capabilities in Microsoft Defender for Endpoint. Disabling your threat protection frees the attacker to perform other actions, such as exfiltrating credentials and spreading to other devices. Tamper protection is designed to help safeguard people and organizations from such actions.


Next steps

Make sure tamper protection is turned on.


Let us know what you think! Post a comment and give us your feedback!













Occasional Visitor


Regular Visitor

Hi Dele,

How come you only mention activating for Enterprise and M365 in this post and not Consumer. You stated at the beginning of the post, the feature is available to Consumers too. Is it ON by default for Consumers or not? How do we activate as consumers?

Regular Visitor

Hello McAkins,

Thanks for your insightful comment, and for your valid concern on the deliberate exclusion of Consumer devices in the table. While the goal of the blog is to reiterate the importance of TP for enterprise customers, it is good to be aligned and reemphasized your point of view. Hence, TP is on-by-default for Consumer devices (new devices), and it could be activated (Consumer devices with TP = off) by following the steps in the link above.

Regular Visitor

Thanks, I've confirmed it is ON by default on my devices. Awesome.

Great article, @OludeleOgunrinde . Thank you.

Hypothetical scenario:

If a device is configured to have Tamper Protection ON from Microsoft 365 Defender Portal (global setting), but it is also configured to have Tamper Protection OFF (Disabled) from a Configuration Profile from Intune, what is the outcome? Which configuration wins?


Hi @Jose Camacaro Latouche 


As per documentation, MEM/Intune takes precedence:

"If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft 365 Defender portal."

Great question!

@PhilMicrosoft thanks! would it be the same if the tamper protection settings are configured via GPO or SCCM?


Just make sure if your using SCCM and disable local admin merge you use the latest version of SCCM.  Otherwise when you enable tamper protection you can no longer manage exclusions.  

Version history
Last update:
‎Aug 30 2021 09:06 AM
Updated by: