Defender tamper protection off on Windows Server

Vitas

5/18/24, 1:01 PM

I am investigating a ticket that Virus & threat protection and App & browser control are now disabled on some servers in our network.

They want me to check why it happened and how to prevent this in the future. I tried to check in event log / security if there is event id 1121 but unfortunately the log is too short and contains only last 2 hours of events, so I didn't find anything.

My question is how these two controls can deactivate - if it must be some admin user who disables them via this control panel or there are other things which can do it? I could enable it back just fine. There is no GPO controlling this. I was asked to check other servers if there is the same situation, so this I will have to do yet. I found these commands that can show it:

Get-MpPreference|select PUAProtection
Get-MpComputerStatus|select IsTamperProtected

I will probably make an Ansible playbook to check the rest of our servers with those.

So far I have seen it on Windows Server 2022 only, so maybe something related to this version...

0 + 1

windows

Vitas

5/24/24, 11:51 AM

is there a GPO to force these controls on and prevent users from switching it in Windows Security GUI? I didn't find it...

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Defender tamper protection off on Windows Server

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.