What You Need to Know about Microsoft Endpoint Manager’s Tamper Protection

With cyber threats being such a huge problem, the last thing your organization needs is vulnerable security. And this can be worsened if malicious actors manage to disable your security. So with that in mind, Microsoft introduced Tamper Protection to increase your organization’s security by making it significantly harder for cybercriminals to infiltrate your network.

It gives you a better security posture and allows your IT team to ensure greater protection over corporate resources. And so today we’re going to dive into what exactly Microsoft Endpoint Manager Tamper Protection is and what it can do for your organization.

What is Tamper Protection?

Microsoft Endpoint Manager Tamper Protection is a relatively new feature that was created to prevent potential attackers from making changes to the configuration of Microsoft Defender on Windows 10 clients. Therefore, this feature doesn’t allow malicious actors to disable features such as:

  • Real-time protection,
  • Anti-virus protection,
  • Cloud-delivered protection,
  • Removing security intelligence updates.

By blocking these actions, Tamper Protection keeps attackers from getting easy access to your data or installing malware. Without being able to do this, attackers can’t compromise your devices or exploit sensitive information.

Functionality

The key thing that Microsoft Endpoint Manager Tamper Protection does for you is it locks Microsoft Defender Antivirus to keep people from making modifications to your security system. These modifications could otherwise be made through apps and methods like:

  • Configuring settings in Registry Editor on your Windows device
  • Using PowerShell cmdlets to make changes to settings
  • Using group policies to edit or remove security settings

However, Tamper Protection won’t stop you from seeing your security settings or affect how third-party antivirus apps register with the Windows Security app. For organizations using Windows 10 Enterprise E5, it’s the security team that will manage Tamper Protection and so individual users can’t change the setting.

How to enable Tamper Protection

Your IT admins can use Microsoft Intune to turn Tamper Protection on or off for all managed computers using the Microsoft Endpoint Manager (MEM) admin center portal. And to make changes to Microsoft Endpoint Manager Tamper Protection, admins will need to have permissions such as security or global admin. To have access to Tamper Protection, your organization should:

  • Have Intune licenses such as Microsoft 365 E5,
  • Have computers running Windows 10 versions 1709, 1803, 1809, or later,
  • Use Windows security with security intelligence updated to version 1.287.60.0 or later,
  • Have machines using antimalware platform version 4.18.1906.3 and antimalware engine version 1.1.15500.X (or later).

With all the requirements met, follow the steps below to get access:

  • Go to MEM admin center and sign in with the right credentials,
  • Select Devices and choose Configuration Profiles,
  • Create a profile with the characteristics below:

Once you turn on Tamper Access, you won’t have any need to turn it off unless if it affects other validated tools.  

Tamper Protection for Configuration Manager

With version 2006 of Configuration Manager, you can leverage tenant attach to manage Tamper Protection settings on:

  • Windows 10,
  • Windows Server 2016, and
  • Windows Server 2019.

Tenant attach allows you to sync your on-premises-only Configuration Manager devices into the MEM admin center. Following this, you can deliver endpoint security configuration policies to on-premises collections and devices. A few simple steps are all you need:

  • Set up tenant attach,
  • Go to the MEM admin center > Endpoint security > Antivirus,
  • Choose Create Policy,
  • You can now deploy the policy to your device collection.

Continuous reviewing

Even with Microsoft Endpoint Manager Tamper Protection enabled, your admins need to have the ability to continually review your security posture. Otherwise, you won’t fully benefit if you cannot see the tamper attempts or report them.

To resolve this challenge, you can subscribe to the Microsoft Defender for Endpoint service. This will provide you with a dashboard that shows you all the security issues that you need to be aware of. These include flagged tamper attempts with all the necessary details to investigate further.

Using third-party security tools

Although Microsoft Endpoint Manager Tamper Protection can work with third-party security tools, some of these can make changes to security settings. By using real-time threat information, Tamper Protection can assess the potential risks of software and suspicious activities. Ideally, your IT admins should update your security intelligence to version 1.287.60.0 or later. And this action will protect the system security settings in the Registry and log any attempts to modify those settings without generating errors.       

What about endpoint management tools?

As for endpoint management tools, you can use them with Microsoft Endpoint Manager Tamper Protection. With limits, of course. Admins retain the possibility of establishing a centralized setting for Tamper Protection using management tools.

However, other tools/platforms cannot change settings that are under the protection of Tamper Protection. For that, admins would require Windows Security to manage those.

If you have a Windows enterprise-class license or computers running Windows 10 Enterprise E5, you need to opt into global Tamper Protection. Below are some unified endpoint management platforms that cannot override Tamper Protection:

  • Microsoft Intune,
  • System Center Configuration Manager,
  • Windows System Image Manager configuration,
  • Group Policy,
  • Any other Windows Management Instrumentation tools and administrative roles.

Wrap up

The key to staying ahead of cybercriminals is a continual upgrading of existing security features. And this is precisely what Microsoft is doing with Tamper Protection. With this feature, you can address one of the potential areas of weakness in your security infrastructure. You can prevent unwanted visitors from disabling critical security features.

Since Microsoft Endpoint Manager Tamper Protection was specifically designed for enterprise environments, it is ideal for enhancing organizational security and making your organization less vulnerable to attack. Class-leading security has become a necessity for all of us and features like this can play a massive role in safeguarding our enterprises.

Feel free to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.