| title | ms.reviewer | manager | description | ms.service | ms.localizationpriority | ms.date | audience | ms.topic | author | ms.author | ms.custom | ms.subservice | ms.collection | search.appverid | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Manage tamper protection for your organization using Microsoft Defender XDR |
joshbregman, mattcall, pahuijbr, hayhov, oogunrinde |
deniseb |
Turn tamper protection on or off for your tenant using the Microsoft Defender portal. |
defender-endpoint |
medium |
10/24/2023 |
ITPro |
conceptual |
siosulli |
siosulli |
|
ngp |
|
met150 |
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
- Microsoft Defender for Business
- Microsoft 365 Business Premium
Platforms
- Windows
Tamper protection helps protect certain security settings, such as virus and threat protection, from being disabled or changed. If you're part of your organization's security team, you can turn tamper protection on (or off) tenant wide by using the Microsoft Defender portal (https://security.microsoft.com).
Important
If tamper protection is deployed and managed through Intune, turning tamper protection on or off in the Microsoft Defender portal won't impact the state of tamper protection. It restricts tamper-protected settings to their secure default values. For more information, see What happens when tamper protection is turned on?
-
You must have appropriate permissions assigned through roles, such as Global Administrator or Security Administrator. (See Microsoft Defender XDR role-based access control (RBAC).)
-
Devices must be running certain versions of Windows or macOS. (See On what devices can tamper protection be enabled?)
-
Devices must be onboarded to Microsoft Defender for Endpoint.
-
Devices must be using anti-malware platform version
4.18.2010.7(or above) and anti-malware engine version1.1.17600.5(or above). (Manage Microsoft Defender Antivirus updates and apply baselines.) -
Cloud-delivered protection must be turned on.
Note
When tamper protection is enabled via the Microsoft Defender portal, cloud-delivered protection is required so that the enabled state of tamper protection can be controlled. Starting with the November 2021 update (platform version 4.18.2111.5), if cloud-delivered protection is not already turned on for a device, when tamper protection is turned on, cloud-delivered protection is turned on automatically on the device.
:::image type="content" source="/defender/media/mde-turn-tamperprotectionon.png" alt-text="Turn tamper protection turned on in the Microsoft Defender portal" lightbox="/defender/media/mde-turn-tamperprotectionon.png":::
-
Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.
-
Choose Settings > Endpoints.
-
Go to General > Advanced features, and then turn tamper protection on.
-
Currently, the option to manage tamper protection in the Microsoft Defender portal is on by default for new deployments, as part of built-in protection, which helps guard against ransomware. For existing deployments, tamper protection is available on an opt-in basis. To opt in, in the Microsoft Defender portal, choose Settings > Endpoints > Advanced features > Tamper protection.
-
When you enable tamper protection in the Microsoft Defender portal, the setting is applied tenant wide and restricts tamper-protected settings to their secure defaults. Any changes made to tamper-protected settings are ignored. Depending on your particular scenario, you have several options available:
-
If you must make changes to a device and those changes are blocked by tamper protection, you can use troubleshooting mode to temporarily disable tamper protection on the device.
-
You can use Intune or Configuration Manager to exclude devices from tamper protection.
-
If you're managing tamper protection through Intune and certain other conditions are met, you can manage tamper-protected antivirus exclusions.
-