From 6b10684bbc99dd211879247e1101a2110c53a936 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 8 Oct 2020 11:50:57 -0700 Subject: [PATCH 1/9] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...ent-changes-to-security-settings-with-tamper-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 6b6a753cf0..94d1519031 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,6 +1,6 @@ --- title: Protect security settings with tamper protection -ms.reviewer: +ms.reviewer: shwjha manager: dansimp description: Use tamper protection to prevent malicious apps from changing important security settings. keywords: malware, defender, antivirus, tamper protection @@ -14,7 +14,7 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 08/31/2020 +ms.date: 10/08/2020 --- # Protect security settings with tamper protection From 9b2031bf49407b4dc2dc365557fb6b7acfbd9fec Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 8 Oct 2020 13:01:33 -0700 Subject: [PATCH 2/9] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...ecurity-settings-with-tamper-protection.md | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 94d1519031..d2ed2e7ca4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -25,6 +25,7 @@ ms.date: 10/08/2020 **Applies to:** - Windows 10 +- Windows Server 2019 ## Overview @@ -41,7 +42,7 @@ With tamper protection, malicious apps are prevented from taking actions such as ### How it works - Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as: +Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as: - Configuring settings in Registry Editor on your Windows machine - Changing settings through PowerShell cmdlets @@ -125,6 +126,25 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release 3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.) +## Manage tamper protection with Configuration Manager, version 2006 + +> [!IMPORTANT] +> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Otherwise, tamper protection is supported on Windows 10 only. + +If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. + +1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). + +2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**. + +3. Configure tamper protection as part of the new policy. + +4. Deploy the policy to your device collection. + +Need help? See the following resources: + +- + ## View information about tampering attempts Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats. From bf6305fe8d3e0b33cf35e0d5ba30cc58ea59f5d4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 8 Oct 2020 13:07:20 -0700 Subject: [PATCH 3/9] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...t-changes-to-security-settings-with-tamper-protection.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index d2ed2e7ca4..190da47cf3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -143,7 +143,11 @@ If you're using [version 2006 of Configuration Manager](https://docs.microsoft.c Need help? See the following resources: -- +- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) + +- [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy) + +- [Antivirus policy for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) ## View information about tampering attempts From 4299c090623706a320c5185b5c4b3caca0eed240 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 8 Oct 2020 13:27:46 -0700 Subject: [PATCH 4/9] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...nt-changes-to-security-settings-with-tamper-protection.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 190da47cf3..3ee78515ef 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -143,11 +143,14 @@ If you're using [version 2006 of Configuration Manager](https://docs.microsoft.c Need help? See the following resources: +- [Antivirus policy for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) + +- [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings) + - [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) - [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy) -- [Antivirus policy for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) ## View information about tampering attempts From 5f0dbed362be305a5b1bfe2b09c990542bef6f7f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 8 Oct 2020 13:32:40 -0700 Subject: [PATCH 5/9] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...nt-changes-to-security-settings-with-tamper-protection.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 3ee78515ef..0567d06391 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -25,7 +25,7 @@ ms.date: 10/08/2020 **Applies to:** - Windows 10 -- Windows Server 2019 +- Windows Server 2019 (if using tenant attach with [Configuation Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) ## Overview @@ -55,6 +55,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And, 1. Turn tamper protection on
- [For an individual machine, use Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine). - [For your organization, use Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). + - [Use tenant attach with Configuration Manager, version 2006, for devices running Windows 10 or Windows Server 2019](#manage-tamper-protection-with-configuration-manager-version-2006) 2. [View information about tampering attempts](#view-information-about-tampering-attempts). @@ -129,7 +130,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release ## Manage tamper protection with Configuration Manager, version 2006 > [!IMPORTANT] -> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Otherwise, tamper protection is supported on Windows 10 only. +> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. From 1aa42c42ad086c96e0d10e3805a0b9ff70433adb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 8 Oct 2020 13:37:12 -0700 Subject: [PATCH 6/9] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...event-changes-to-security-settings-with-tamper-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 0567d06391..6c6e149977 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -123,7 +123,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release 1. Open the Windows PowerShell app. -2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) PowerShell cmdlet. +2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) PowerShell cmdlet. 3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.) From 84bc28dfc12ff2f95c2f63d80f2c03f522b1669b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 8 Oct 2020 14:01:43 -0700 Subject: [PATCH 7/9] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...security-settings-with-tamper-protection.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 6c6e149977..efae8a1640 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -181,9 +181,7 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### Is configuring tamper protection in Intune supported on servers? - -No +If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy) ### Will tamper protection have any impact on third party antivirus registration? @@ -197,7 +195,11 @@ Tamper protection will not have any impact on such devices. If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine). -If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). +If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: + +- [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune) + +- [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) ### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy? @@ -220,7 +222,7 @@ Configuring tamper protection in Intune can be targeted to your entire organizat ### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? -Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager. +If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) and [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin). ### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune? @@ -248,11 +250,7 @@ In addition, your security operations team can use hunting queries, such as the [View information about tampering attempts](#view-information-about-tampering-attempts). -### Will there be a group policy setting for tamper protection? - -No. - -## Related articles +## See also [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) From 6f43aad10b51a41854b81bd16822290a59d5ba54 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 8 Oct 2020 14:05:22 -0700 Subject: [PATCH 8/9] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...event-changes-to-security-settings-with-tamper-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index efae8a1640..c9adfbfd6a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -181,7 +181,7 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy) +If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy). ### Will tamper protection have any impact on third party antivirus registration? From 0d2f73a6ddf50632e91293026019bed1d72a87fd Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 8 Oct 2020 16:23:25 -0700 Subject: [PATCH 9/9] Acrolinx: "Configuation" --- ...event-changes-to-security-settings-with-tamper-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index c9adfbfd6a..c49d6a763f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -25,7 +25,7 @@ ms.date: 10/08/2020 **Applies to:** - Windows 10 -- Windows Server 2019 (if using tenant attach with [Configuation Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) +- Windows Server 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) ## Overview