TAMPER PROTECTION BACKGROUND:
The first thing most malware tries to do is disable your antivirus, so Microsoft has introduced a new feature called TAMPER PROTECTION that blocks all methods of disabling Windows Defender Antivirus except through the Windows Security Console GUI or Microsoft’s InTune cloud service.
Specifically, if Tamper Protection is enabled it can not be disabled via:
- command line script
- Group Policy – this may change in the future
- System Center Endpoint Protection (SCCM) – this may change in the future
- manually changing the registry
An important note is that:
“…Tamper Protection doesn’t affect how third-party antivirus apps work or how they register with Windows Security.” SOURCE
TAMPER PROTECTION REGISTRY ENTRIES:
Once Windows Defender Tamper Protection is enabled you cannot change it using the registry, even if you take ownership of the relevant key. However, you can use the registry to turn it on and to figure out if Tamper Protection is on:
HKLM > SOTWARE > MICROSOFT > WINDOWS DEFENDER > FEATURES
TamperProtection Off = 0 – applies to Windows Home & Pro
TamperProtection On = 1 – applies to Windows Home & Pro
TamperProtection disabled = 2 – applies to Windows Enterprise & Education
TAMPER PROTECTION DOES NOT APPEAR IN WINDOWS ENTERPRISE
I found the registry showed TamperProtection = 2 which was not one of the options I was aware of. Even more odd was that I could find TAMPER PROTECTION in the START search but it took me to the Security Center without Tamper Protection options. That was quite unexpected.
After goofing with this for a few hours, I called Microsoft Partner Technical Support and within a day had a fantastic response from the tech:
“…On Enterprise SKU the feature is disabled by default and is expected to be managed by GPO, SCCM, and Intune etc. However GPO and SCCM functionality has not been enabled as of yet, and only Intune works. It also must be a machine onboarded by Defender ATP, so it needs Intune, WDATP, and be an enterprise SKU to use with an E5 license if you wish to preview it.
Without all 3, you cannot even turn it on yet on the Enterprise SKU if the client is managed.
Managed is defined as being a part of a domain. I’m told that you can enable tamper protection on an Enterprise SKU if it is not domain joined, but this functionality may be broken as of now (August 2019) but they are expecting it to work that way in the end. We have raised the concern with our developer teams and also about the whole interface confusion and they will take appropriate steps to correct this so it’s not so confusing.
0x2 in the registry means that the SKU is Killbitted meaning it is NOT enabled. Even though you may have enabled it in the GUI initially. It’s still not enabled. Once it is set to 0x2 it cannot be changed until the conditions above with all 3 items are met…