Enable Tamper Protection for Windows Servers
If you want to enable Tamper Protection for Windows Servers, there are two basic options – using the Microsoft 365 Defender portal or using ConfigMgr via Tenant Attach. Both of these options require that devices be onboarded to Defender for Endpoint. Let’s see how we can configure it!
Microsoft 365 Defender portal
If you want to enable Tamper Protection across the board, the Microsoft 365 Defender portal is the way to do it. You might even already have it enabled, and just didn’t know! Go to security.microsoft.com > Settings > Endpoints > Advanced features > Tamper protection:
In my tenant, this was the default setting, making Tamper Protection enabled for any onboarded device. To verify that it’s actually turned on, run the Get-MpComputerStatus command and look for the value in IsTamperProtected:
Tenant Attach
Tenant Attach is a feature of Configuration Manager that allows Microsoft Endpoint Manager to view details and configure policy for ConfigMgr managed devices. That is a mouthful but here’s what you need to know – tenant attach is easy to enable, and lets you use the MEM console for added functionality. Your on-prem servers aren’t aware for MEM at all – MEM is purely communicating with the ConfigMgr site server and leveraging it for policy and reporting. Super cool!
If you haven’t enabled Tenant Attach, it’s very easy. You just need to select the Upload to Microsoft Endpoint Manager admin center option in Cloud Attach settings (previously co-management). This is in ConfigMgr > Administration > Overview > Cloud Services > Cloud Attach > Configure Cloud Attach or Properties/l
In my tenant, I’ve selected to upload all devices to MEM. Once synced, in MEM you will see devices Managed by ConfigMgr, and then see a list of additional monitor properties when you look at one of the devices:
Just be sure that the account you’re using to log into the MEM portal has permissions on the ConfigMgr site server!
One last thing we need, specifically for Endpoint Protection profiles, is enabling the Cloud Sync setting for a Collection that we want to Target in ConfigMgr. In ConfigMgr > Assets and Compliance, Overview > Device Collections, configure the properties of a collection that you want to target.
In the Cloud Sync tab, select the Make this collection available to assign Endpoint security policies from Microsoft Endpoint Manager admin center option:
With tenant attach enabled and a collection made available in Cloud sync, all we need to do is deploy a policy with the (ConfigMgr) name in the profile type (in this case, a Windows Security experience profile). In MEM > Endpoint security > Antivirus > + Create Policy > Windows 10, Windows 11, and Windows Server (ConfigMgr):
Then in the profile, all we need to do is configure Enable tamper protection to prevent Microsoft Defender being disabled to Enabled:
Under assignments, you’ll see that now we need to select a ConfigMgr collection rather than an AAD group. Here we’ll select the collection we previously set for Cloud Sync:
Then click Next and Create!
Just like before, we’ll run the Get-MpComputerStatus command on a server in the targeted collection to verify Tamper Protection is enabled:
Looking good!
Final thoughts
Really, the main goal of this article is showing how easy it can be to enable Tamper Protection for Windows Servers via tenant attach. You should be using the M365 Defender portal, but that has a requirement for cloud-delivered protection to be enabled, and your Windows Servers may have that setting disabled. In that case – tenant attach comes to the rescue!
Curious about other endpoint security settings we can manage via Tenant Attach? Or have any questions? Let me know below!
Happy securing 🔐