Windows 安全团队已经为所有Windows用户推出了 篡改保护。(Tamper Protection)在这篇文章中,我们将分享如何通过 UI、注册表(Registry)或InTune在Windows Security或Windows Defender中启用或禁用(Windows Defender)篡改保护( Tamper Protection)。虽然您可以将其关闭,但我们强烈建议您始终保持启用状态,以保护您的安全。
什么是Windows Windows 11/10篡改保护(Tamper Protection)
简单来说(English),它确保没有人可以篡改保护(Protection)系统,即Windows 安全(Windows Security)。板载软件足以应对大多数安全威胁,包括勒索软件(Ransomware)。但是,如果它被第三方软件或潜入的恶意软件关闭,那么您可能会遇到麻烦。
(Tamper Protection feature)Windows 安全(Windows Security)中的篡改保护功能可确保防止恶意应用更改相关的Windows Defender 防病毒(Windows Defender Antivirus)设置。实时(Real-time)保护、云保护等功能对于保护您免受新出现的威胁至关重要。该功能还确保没有人可以通过注册表(Registry)或组策略(Group Policy)更改或修改设置。
以下是微软(Microsoft)对此的评价:
- 为帮助确保篡改保护(Tamper Protection)不会干扰修改这些设置的第三方安全产品或企业安装脚本,请转到Windows 安全(Windows Security)中心并将安全智能更新到版本 1.287.60.0 或更高版本。进行此更新后,防篡改(Tamper Protection)将继续保护您的注册表设置,并将记录修改它们的尝试,而不会返回错误。
- 如果篡改保护(Tamper Protection)设置为开,您将无法使用 DisableAntiSpyware 组策略键关闭Windows Defender 防病毒服务。(Windows Defender Antivirus)
(Tamper Protection)家庭(Home)用户默认启用篡改保护。保持篡改保护(Tamper Protection)开启并不意味着您不能安装第三方防病毒软件。这仅意味着没有其他软件可以更改Windows 安全(Windows Security)性的设置。第三方(Third-party)防病毒软件将继续向Windows 安全(Windows Security)应用程序注册。
在Windows 安全(Windows Security)中禁用篡改保护(Tamper Protection)
虽然阻止第三方进行任何更改,但您作为管理员可以进行更改。即使可以,我们也强烈建议您始终保持启用状态。您可以通过三种方式对其进行配置:
- Windows 安全用户界面
- 注册表更改
- InTune或Microsoft 365 设备管理(Device Management)门户
没有组策略对象(Group Policy Object)可以更改此设置。
1] 使用Windows 安全 UI(Windows Security UI)禁用或启用篡改保护
- 单击(Click)开始按钮,然后从应用程序列表中找到Windows(Start)安全性(Windows Security)。找到后单击(Click)以启动。
- 切换到病毒(Virus)和威胁(Threat)防护> Manage Settings
- 滚动(Scroll)一下以找到防篡改(Tamper Protection)。确保(Make)其已打开。
- 如果有特殊需要,您可以将其关闭,但请确保在工作完成后再次打开它。
2]注册表(Registry)更改以禁用或启用篡改保护
- 通过在运行提示(Run Prompt)中键入Regedit ,然后按Enter键打开注册表编辑器
- 导航(Navigate)到HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
- 双击 DWORD
TamperProtection
以编辑该值。 - 将其设置为“0”以禁用篡改保护(Tamper Protection)或设置为“5”以启用篡改保护(Tamper Protection)
3]使用Intune为您的组织打开或关闭篡改保护(Turn Tamper Protection)
如果您使用InTune,即Microsoft 365 设备管理(Device Management)门户,您可以使用它来打开或关闭篡改保护(Turn Tamper Protection)。除了拥有适当的权限外,您还需要具备以下条件:
如果你是组织安全团队的一员,则可以在Microsoft 365设备管理(Device Management)门户 ( Intune )中为你的组织打开(或关闭)篡改保护(Tamper Protection),前提是你的组织具有Microsoft Defender 高级威胁防护(Microsoft Defender ATP):
- 你的组织必须具有Microsoft Defender ATP E5,由Intune管理,并且运行Windows OS 1903或更高版本。
- (Windows)具有安全智能的Windows安全更新到版本 1.287.60.0(或更高版本)
- 您的机器必须使用反恶意软件平台版本 4.18.1906.3(或更高版本)和反恶意软件引擎版本 1.1.15500.X(或更高版本)
现在按照以下步骤启用或禁用篡改保护:
- 转到Microsoft 365 设备管理(Device Management)门户并使用你的工作或学校帐户登录。
- 选择 设备配置(Device configuration) > 配置文件(Profiles)
- 创建包含以下设置的配置文件:
- 平台(Platform):Windows 10 及更高版本
- ProfileType : 端点保护
- 设置(Settings)> Windows Defender Security Center > Tamper Protection。将其配置为打开或关闭
- 将(Assign)配置文件分配给一个或多个组
如果您没有立即看到此选项,则它仍在推出中。
每当发生更改时,安全中心(Security Center)都会显示警报。安全团队可以按照以下文本从日志中过滤:
AlertEvents | where Title == "Tamper Protection bypass"
没有用于防篡改的(Tamper Protection)组策略对象(Group Policy Object)
最后,没有可用于管理多台计算机的组策略。(Group Policy)微软(Microsoft) 的一份说明清楚地表明:(clearly says:)
Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
您可以通过远程连接到多台计算机并部署更改来为多台计算机使用注册表方法。(Registry)完成后,这就是它在用户个人设置中的外观:
我们希望这些步骤易于遵循,并且您能够根据您的要求启用或禁用篡改保护(Protection)。
Enable or disable Tamper Protection using Intune, REGEDIT, UI
Windows Sеcurity Team has rolled out Tampеr Protection for all Windowѕ users. In this post, we will shаrе how you can enable or disable Tamper Protection in Windows Security or Windows Defender via UI, Registry or InTune. While you can turn it off it, we highly recommend you keep it enabled at all times, for your protection.
What is Tamper Protection in Windows 11/10
In simple English, it makes sure nobody can tamper with the Protection system aka Windows Security. The onboard software is good enough to handle most of the security threats, including Ransomware. But if it is turned off by a third party software or a malware which sneaks in, then you can get into trouble.
Tamper Protection feature in Windows Security makes sure to prevent malicious apps from changing relevant Windows Defender Antivirus settings. Features like Real-time protection, cloud protection are essential to keep you safe from emerging threats. The feature also makes sure that nobody can change or modify the settings via Registry or Group Policy.
Here is what Microsoft says about it:
- To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to Windows Security and update security intelligence to version 1.287.60.0 or later. Once you’ve made this update, Tamper Protection will continue to protect your registry settings and will log attempts to modify them without returning errors.
- If the Tamper Protection setting is On, you won’t be able to turn off the Windows Defender Antivirus service by using the DisableAntiSpyware group policy key.
Tamper Protection is enabled by default for Home users. Keeping Tamper Protection On doesn’t mean that you cannot install third-party antivirus. It only means no other software can change the settings of Windows Security. Third-party antivirus will continue to register with the Windows Security application.
Disable Tamper Protection in Windows Security
While third parties are blocked from making any changes, you as an administrator can make the changes. Even though you can, we will highly recommend you to keep it enabled all the time. You can configure it in three ways:
- Windows Security UI
- Registry changes
- InTune or Microsoft 365 Device Management portal
There is no Group Policy Object to change this setting.
1] Using Windows Security UI to disable or enable Tamper Protection
- Click on the Start button, and from the app list, locate Windows Security. Click to launch when you find it.
- Switch to Virus and Threat protection > Manage Settings
- Scroll a bit to find Tamper Protection. Make sure its toggled On.
- If there is a particular need, you may turn it off, but make sure to turn it on again when work is done.
2] Registry changes to disable or enable Tamper protection
- Open Registry Editor by typing Regedit in the Run Prompt followed by the Enter key
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
- Double click on DWORD
TamperProtection
to edit the value. - Set it to “0” to disable Tamper Protection or “5” to enable Tamper Protection
3] Turn Tamper Protection on or off for your organization using Intune
If you are using InTune, i.e. Microsoft 365 Device Management portal, you can use it to Turn Tamper Protection on or off. Apart from having appropriate permissions, you need to have the following:
If you are part of your organization’s security team, you can turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune) assuming your organization has Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP):
- Your organization must have Microsoft Defender ATP E5, Managed by Intune, and running Windows OS 1903 or later.
- Windows security with security intelligence updated to version 1.287.60.0 (or above)
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above)
Now follow the steps to enable or disable Tamper Protection:
- Go to the Microsoft 365 Device Management portal and sign in with your work or school account.
- Select Device configuration > Profiles
- Create a profile that includes the following settings:
- Platform: Windows 10 and later
- ProfileType: Endpoint protection
- Settings > Windows Defender Security Center > Tamper Protection. Configure it on or off
- Assign the profile to one or more groups
If you do not see this option right away, it is still being rolled out.
Whenever a change occurs, an alert will be displayed on the Security Center. The security team can filter from the logs by following the text below:
AlertEvents | where Title == "Tamper Protection bypass"
No Group Policy Object for Tamper Protection
Lastly, there is no Group Policy available to manage multiple computers. A note by Microsoft clearly says:
Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
You can use the Registry method for multiple computers by remotely connecting to that computer, and deploying the change. Once done, this is how it will look in users individual settings:
We hope the steps were easy to follow, and you were able to enable or disable Tamper Protection as per your requirement.