Programmatically disable Tamper Protection


New Member
Maybe someone here has figured this out. Is there a way to disable Tamper Protect in the image so I don't have to log into every system to manually disable it? Moving from 1809 to 21H2 has been a whole lotta "no fun".
Integrate this reg file into install.wim:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]

You can reg import the same file on existing systems, and reboot.
Last edited:
Actually tamper protecion is 4 when its disabled and 5 when enabled. what is 0 for?

also I think it can't be changed on live system and any change at iso level is reverted on first logon.
We've discussed this before:

Windows defaults to 0 or 1, but if you have Cloud Protection present it adds 4 to the value.
0 = Tamper Protection off, no Cloud Protection
1 = Tamper Protection on, no Cloud Protection
4 = Tamper Protection off, Cloud Protection off
5 = Tamper Protection on, Cloud Protection on

Why do you think it can't be changed live? It requires a reboot to take effect. While Tamper Protection is enabled, OTHER Defender settings cannot be modified -- which is why it's protecting those reg keys.
OK. I got part of this wrong, you can't make a registry change on a live system -- you're only allowed to change it from Security Center UI.
It works on a live system, if you managed to stop WinDefend service
NSudo (or similar tools) is required to overcome registry permissions