Tamper Protection Now Available to Microsoft Defender ATP Subscribers

The Microsoft Defender Advanced Threat Protection (ATP) E5 subscription plan now has an optional "tamper protection" security feature, Microsoft announced on Monday.

The feature, which prevents changes from being made to Windows 10 client security features by malicious applications or even by local administrators, is now available at the "general availability" stage. Tamper protection had earlier been at the preview stage back in March. The feature just works with Windows 10 version 1903 or later clients, and it requires using the Windows Defender Antivirus program.

General availability means that tamper protection is deemed ready for use by organizations. However, an IT pro with a "global admin, security admin, or security operations" role will need to enable it first before it takes effect, according to Microsoft's documentation. It's not enabled by default for organizations.

Consumer Version
For consumer users, tamper protection "will be enabled by default" on Windows 10 Home edition versions. It's currently being rolled out to them "gradually," according to Microsoft's announcement, which did not provide timeline details. An early review of the consumer version can be found in this Redmond article.

Tamper protection seems like a pretty basic security protection for organizations, as well as for consumers. However, not every organization may have the licensing to use it.

Organizational Requirements
Tamper protection is just for organizations with Microsoft Defender ATP E5 licensing. They'll also need to be using the Microsoft Intune client management service to turn on tamper protection. Users of System Center Configuration Manager (SCCMM) are out of luck as Microsoft doesn't currently support tamper protection with that management tool.

It's also not possible to turn on tamper protection using Group Policy. Microsoft's documentation flatly rejected the notion that Group Policy could be used with tamper protection in the future.

The requirements to use tamper protection include having the following in place:

  • A subscription to Microsoft Defender ATP E5 (the E3 plan isn't supported)
  • A subscription to Microsoft Intune
  • Use of Windows Defender Antivirus (version 4.18.1906.3 or above) with security intelligence updates turned on
  • Use of Windows 10 version 1903 or later

Tamper protection will not work on client devices that aren't using Windows Defender Antivirus. Surprisingly, the tamper protection feature does not include support for Windows Server products.

Tamper protection won't have an effect on "third-party antivirus registration," Microsoft promised. IT pros using tamper protection will get alerts when there are attempts to alter security features. These alerts will be available through the Microsoft Defender ATP management portal.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Dell Sells RSA Assets for $2 Billion

    Dell's RSA security solutions businesses, including the RSA Conference, were bought by a consortium of companies for about $2 billion, according to Tuesday announcements.

  • How To Get Started as a Windows Insider

    Microsoft's Windows Insider program is invaluable for IT pros who want to test drive new Windows 10 features before the update rolls out to their entire organization. If you haven't already signed up to be an Insider, here's how to do it.

  • Old Fashioned Mics

    Microsoft Preps for RSA Conference with Multiple Security Product Announcements

    Microsoft announced various enterprise security solution product milestones this week in advance of the forthcoming RSA Conference, which will start on Feb. 24.

  • Office App for Android and iOS Phones Now Commercially Released

    Microsoft on Wednesday announced the worldwide "general availability" of its new Office App for both Android and iOS phones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.