Win10-Initial-Setup-Script icon indicating copy to clipboard operation
Win10-Initial-Setup-Script copied to clipboard

Published 20 hours ago verified publisher icon Disassembler0

Defender tamper protection

Open Disassembler0 opened this issue 5 years ago • 1 comments

1903 added Tamper protection feature into Windows Defender. This basically blocks all attempts to modify defender-related registry, unless you're doing it as TrustedInstaller user.

By default, the protection seems to be disabled, but nags with a warning. Scope of this issue is either:

  • Find how to disable the warning (preferred)

or

  • Enable tamper protection but find how to do the modifications in other defender-related tweaks, either via Set-MpPreference cmdlet or directly as TrustedInstaller (this theoretically should not be possible, but where there's a will, there's a way)

There is related setting under HKLM:\SOFTWARE\Microsoft\Windows Defender\Features but manually dismissing the warning doesn't seem to change anything anywhere in registry, so there may be something else in SQLite databases under C:\ProgramData\Microsoft\Windows Defender.

Disassembler0 avatar May 25 '19 16:05 Disassembler0

Perhaps the TamperProtection key in HKLM\SOFTWARE\Microsoft\Windows Defender\Features might be something that is only honored during the initial install of the OS, similar to the ShippedWithReserves key for the Reserved Storage feature?

Copy-link avatar Oct 16 '19 20:10 Copy-link