This new feature works by blocking malware from disabling Microsoft Defender (formerly Windows Defender) features behind the user's back.
According to Microsoft, with Tamper Protection, malicious apps won't be able to:
Disable virus and threat protection
Disable real-time protection
Turn off behavior monitoring
Disable Defender's antivirus components (such as IOfficeAntivirus (IOAV))
Disable cloud-delivered protection
Remove security intelligence updates
Microsoft says that Tamper Protection "essentially locks Microsoft Defender" and prevents security settings from being changed through third-party apps and methods like:
Configuring settings in Registry Editor on a Windows machine
Changing settings through PowerShell cmdlets
Editing or removing security settings through group policies
The feature will be available for both the free version of Microsoft Defender (the one that ships with all modern Windows OS versions) but also with Microsoft Defender Advanced Threat Protection (ATP) (the commercial version, primarily employed on enterprise networks).
Work on Tamper Protection began in December 2018, when it was first rolled out to Windows Insiders previews. In March this year, Microsoft rolled Tamper Protection for more tests to Microsoft Defender ATP versions.
Starting today, the feature will be available for all Microsoft Defender users. Microsoft told ZDNet in a phone call last week that the feature will be enabled by default for all users in the coming weeks, in a multi-stage rollout.
If users don't want to wait, Microsoft said they can also enable Tamper Protection right now.
A new option has been added to the Windows Security options page to control Tamper Protection's state. To enable or disable Tamper Protection, the steps are:
Click Start, and start typing Defender. In the search results, select Windows Security.
But Microsoft emphasizes that Tamper Protection was specifically built for enterprise environments, where the protection level it provides is far superior to what a home user gets.
Here, when a system administrator enables the feature for a company's workstations, Tamper Protection locks out malware and end-users alike. Once enabled, only administrators will be able to change Defender settings across a company's computers.
The only catch is that administrators must use Microsoft Intune to manage their workstation fleet.
"When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it's sent to endpoints," Microsoft says.
"The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control."
In enterprise setups, when malware or users try to modify Defender features, an alert is raised in Microsoft Defender ATP's Security Center, which administrators can investigate further.
Tamper Protection is only available for Windows 10 1903 May release or later. Microsoft said it will work to port the feature to older versions.
How to perform a clean install of Windows 10: Here's a step-by-step checklist