As you know, attackers always try to be ahead of the security game and one of their technique is to disable the endpoint protection (aka antivirus/antimalware).
Well, while Windows Defender is a quite secure and robust endpoint protection, it is obviously one of the major focus for these attackers.
To help mitigate security threats trying to disable Windows Defender and/or modify the security configuration on Windows 10 devices, a new capability has been added – called Tamper Protection – which can be enabled using Intune.
The tamper protection is designed to block malicious attacks and changes to security features. It has been delivered in preview to Windows Insider earlier this year and is now in GA (general availability).
The tamper protection will help better protecting security protection such as (but not limited):
- Real time protection; this means it will ensure this will never be disabled – while this was already quite rare to have it turned off (unless you are using a third party AV)
- Cloud delivered protection; which uses cloud-based detection and prevention services to block not yet known malware
- Behavior monitoring; which helps detecting suspicious activities. It make sense to see this capability protected by tamper protection as it works closely with the real time detection
- Security intelligence updates which is the Defender updated protection database to ensure Windows Defender is always up to date
You can start enabling tamper protection using Intune by connecting to your Azure portal (https://portal.azure.com) or Device Management portal (https://devicemanagement.microsoft.com) to reach out the Intune\Device Configuration\Profiles configuration blade
NOTE this can be managed only from the Intune portal; local administrator will not have access to enabled/disable the feature
From there either create a new Endpoint protection profile or edit your existing one and reach out the Microsoft Defender Security Center configuration to enable Tamper Protection (not configured by default)
Once enabled, the security policy is signed in the back-end before being applied to the devices, which then makes security configuration changes by other means (which includes group policy, registry keys or WMI); support for these ‘known and secured’ configuration methods will come in future updates.
Once enabled and applied, end-user will see in the Windows Security center the tamper protection enabled.
Administrators will then be able to have access to reporting and alerts raised through the Microsoft Defender ATP portal (https://securitycenter.windows.com/).
You will need to have either E5 plans or Microsoft Defender ATP licenses.
For home users (aka unmanaged devices), this capability will be gradually enabled (with ability for them to turn it off).