Microsoft says Tamper Protection will soon be enabled by default for all enterprise customers in Microsoft Defender for Endpoint (MDE) for better defense against ransomware attacks.

The company has added this feature to its enterprise endpoint security platform in March 2019 to block changes to key security features and prevent attackers or malicious tools from disabling antimalware or removing security updates.

Once enabled, it locks Microsoft Defender Antivirus to secure defaults and will prevent any changes to security settings.

It does this by preventing other apps from changing real-time and cloud protection settings, behavior monitoring, and Defender components like IOfficeAntivirus (IOAV) which handles the detection of suspicious files downloaded from the Internet.

Until now, tamper protection was enabled by default in Microsoft Defender after installing Windows Home Users.

However, it was only available as an optional MDE feature for enterprise customers that could only be enabled using the Intune management console (local administrators were not allowed to enable).

“Since last year, to better protect our customers against ransomware attacks, we have enabled Tamper Protection by default for all new customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses,” said Josh Bregman, senior product manager at Microsoft.

“To better protect our customers, we are announcing that Tamper Protection will be enabled for all existing customers unless it has been explicitly disabled in the Microsoft 365 Defender Portal.”

Customers who have not yet configured tamper protection in their environment will soon receive notifications that the feature will be enabled in 30 days.

For example, public preview customers will receive an alert on September 21, 2022 that Tamper Protection will be enabled a month later on October 24, 2022.

“We recommend that you enable tamper protection and keep it enabled across your organization,” Bregman said. said.

However, he added, “if you prefer not to have tamper protection automatically enabled for your tenant, you can explicitly opt out.”

The steps required to manually disable tamper protection require you to:

1. Go to security.microsoft.com and sign in.
2. Go to Settings > Endpoints > Advanced Features
3. Enable tamper protection by selecting its toggle.
4. Select Save preferences
5. Disable tamper protection by selecting its toggle.
6. Select Save preferences.

Admins can also exclude certain devices from tamper protection if there are app compatibility issues by creating a profile in Microsoft Endpoint Manager Where Using security management for Defender for Endpoint.