Tamper Protection Now Available to Microsoft Defender ATP Subscribers

The Microsoft Defender Advanced Threat Protection (ATP) E5 subscription plan now has an optional "tamper protection" security feature, Microsoft announced on Monday.

The feature, which prevents changes from being made to Windows 10 client security features by malicious applications or even by local administrators, is now available at the "general availability" stage. Tamper protection had earlier been at the preview stage back in March. The feature just works with Windows 10 version 1903 or later clients, and it requires using the Windows Defender Antivirus program.

General availability means that tamper protection is deemed ready for use by organizations. However, an IT pro with a "global admin, security admin, or security operations" role will need to enable it first before it takes effect, according to Microsoft's documentation. It's not enabled by default for organizations.

Consumer Version
For consumer users, tamper protection "will be enabled by default" on Windows 10 Home edition versions. It's currently being rolled out to them "gradually," according to Microsoft's announcement, which did not provide timeline details. An early review of the consumer version can be found in this Redmond article.

Tamper protection seems like a pretty basic security protection for organizations, as well as for consumers. However, not every organization may have the licensing to use it.

Organizational Requirements
Tamper protection is just for organizations with Microsoft Defender ATP E5 licensing. They'll also need to be using the Microsoft Intune client management service to turn on tamper protection. Users of System Center Configuration Manager (SCCMM) are out of luck as Microsoft doesn't currently support tamper protection with that management tool.

It's also not possible to turn on tamper protection using Group Policy. Microsoft's documentation flatly rejected the notion that Group Policy could be used with tamper protection in the future.

The requirements to use tamper protection include having the following in place:

  • A subscription to Microsoft Defender ATP E5 (the E3 plan isn't supported)
  • A subscription to Microsoft Intune
  • Use of Windows Defender Antivirus (version 4.18.1906.3 or above) with security intelligence updates turned on
  • Use of Windows 10 version 1903 or later

Tamper protection will not work on client devices that aren't using Windows Defender Antivirus. Surprisingly, the tamper protection feature does not include support for Windows Server products.

Tamper protection won't have an effect on "third-party antivirus registration," Microsoft promised. IT pros using tamper protection will get alerts when there are attempts to alter security features. These alerts will be available through the Microsoft Defender ATP management portal.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Azure Active Directory ID Protection 'Refresh' Now Available

    Microsoft's enhancements to the Azure Active Directory Identity Protection service are now said to be "generally available" (GA), or ready for commercial use, per a Wednesday announcement.

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.