Programmatically disable Tamper Protection

[hobart_symms]

Maybe someone here has figured this out. Is there a way to disable Tamper Protect in the image so I don't have to log into every system to manually disable it? Moving from 1809 to 21H2 has been a whole lotta "no fun".

 

[garlin]

Integrate this reg file into install.wim:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000

You can reg import the same file on existing systems, and reboot.

 

[crypticus]

Actually tamper protecion is 4 when its disabled and 5 when enabled. what is 0 for?

also I think it can't be changed on live system and any change at iso level is reverted on first logon.

 

[garlin]

We've discussed this before:
https://www.ntlite.com/community/in...-disabled-settings-bug-in-w11.2539/post-22153

Windows defaults to 0 or 1, but if you have Cloud Protection present it adds 4 to the value.
0 = Tamper Protection off, no Cloud Protection
1 = Tamper Protection on, no Cloud Protection
4 = Tamper Protection off, Cloud Protection off
5 = Tamper Protection on, Cloud Protection on

Why do you think it can't be changed live? It requires a reboot to take effect. While Tamper Protection is enabled, OTHER Defender settings cannot be modified -- which is why it's protecting those reg keys.

 

[garlin]

OK. I got part of this wrong, you can't make a registry change on a live system -- you're only allowed to change it from Security Center UI.

 

[abbodi86]

It works on a live system, if you managed to stop WinDefend service
NSudo (or similar tools) is required to overcome registry permissions