Microsoft Defender for Endpoint will enable tamper protection by default

Microsoft has announced that Microsoft Defender for Endpoint (MDE), the enterprise offering of its endpoint security platform, will enable tamper protection by default. This change will better protect Windows endpoints from ransomware attacks.

Tamper protection was first introduced to MDE back in March 2019 to restrict changes to security features or prevent malware from disabling the anti-malware protection Defender provides.

Tamper protection is also offered on Windows home users, and already has this capability enabled by default.

Josh Bregman, Principal Product Manager at Microsoft announced the change.

“Starting last year, to better protect our customers from ransomware attacks we turned on tamper protection by default for all new customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses.”

“To further protect our customers, we are announcing that tamper protection will be turned on for all existing customers, unless it has been explicitly turned off in the Microsoft 365 Defender portal.”

Researchers at Microsoft conclude that tamper protection should be enabled based on two key findings after ransomware forensic analysis:

Attackers are using a common set of tactics, techniques, and procedures (TTPs)
Defender for Endpoint could have helped more in preventing the attack if the controls that address those TTPs were configured.

If administrators do nothing, they will be notified that tamper protection will be automatically enabled within 30 days. However, Bregman states that customers who prefer to opt out of tamper protection can do so.

Tamper protection can be manually disabled by performing the following steps: