-## FAQ

-Have questions? For a FAQ to help address common questions, see [Basic Mobility and Security Frequently-asked questions (FAQ)](frequently-asked-questions.yml). Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security. For more info, see [Partners: Offer delegated administration](https://support.microsoft.com/office/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e).

-Organization settings only apply to newly-created Cloud PCs. When these settings are changed, they wonΓÇÖt change the OS or account type of existing Cloud PCs.

-Content search provides a way to query Microsoft Teams information spanning Exchange, SharePoint Online, and OneDrive for Business.

-To learn more, see [Content search in Microsoft 365](ediscovery-content-search.md).

-For example, using **Content search** against your Manufacturing Specs mailbox and Manufacturing Specs SharePoint site, you can search against Teams standard channel conversations from Exchange, file uploads and modifications from SharePoint Online, and OneNote changes.

-## Related topics

-To put a user or a team on legal hold in a eDiscovery (Standard) case:

-1. Go to the [Microsoft Purview compliance portal](https://compliance.microsoft.com). When you create a new case, you're presented with the option to place mailboxes or sites on hold.

-2. Go to **eDiscovery** > **Standard** and create a case by selecting **Create a case**. After the case is created, open it.

- > [!NOTE]

- > You can also place a user on a hold that's associated with an eDiscovery (Premium) case. For more information, see [Manage holds in eDiscovery (Premium)](ediscovery-managing-holds.md).

-3. Go to the **Hold** tab on the top menu and select **Create** to create a hold. Placing a user or a team on hold preserves all the messages exchanged by those users. When you create a new case, you're presented with the option to place mailboxes or sites on hold.

-4. **Name your hold**. Select a descriptive and unique name for the hold you're going to create.

-5. **Choose locations**. Choose whether you want the hold to be applied on a user or on an entire team (a hold can't be applied on individual channels for now). If a user is on hold, all their messages are preserved, including messages in 1:1 chats, group chats, and private channels. Messages in standard and shared channels are preserved when the parent team is placed on hold.

-6. **Query**. You can customize the hold if you want more granularity in the hold policy. For example, you can specify keywords to look for, or you can add more conditions that would need to be satisfied for the hold to take effect.

-7. **Review your settings** before creating the hold.

-After the hold is created, you can search the content retained by the hold policy. For more information, see [Conduct an eDiscovery investigation in Teams](ediscovery-teams-investigation.md).

-|Scenario |Content location |

-|||

-|Chat messages for a user (for example, 1:1 chats, 1:N group chats, and private channel conversations) |User mailbox |

-|Chat messages in standard and shared channels |Mailbox associated with the parent team |

-|Files in standard channels (for example, Wiki content and files) |SharePoint site associated with the parent team |

-|Files in private and shared channels |Dedicated SharePoint site associated with the channel

-|User's private content |The user's OneDrive for Business account |

-4. In **Platform**, select **Windows 10 and later**, and in **Profile**, select **Attack surface reduction rules**.

- :::image type="content" source="" alt-text="Configure windows defender smart screen Edge" lightbox="images/":::

-Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives.

-> [!TIP]

-> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).

-We recommend using [Intune](/mem/intune/fundamentals/what-is-intune) to edit or set your cloud-delivered protection settings; however, you can use other methods, such as [Group Policy](/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-mde-post-migration.md).

-description: Frequently asked questions on configuring tamper protection.

-keywords: malware, defender, antivirus, tamper protection

-# Frequently asked questions on tamper protection

-**Applies to:**

-**Platforms**

-## On which versions of Windows can I configure tamper protection?

-

-If you're using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](/mem/configmgr/tenant-attach/deploy-antivirus-policy).

-## Is tamper protection available on Mac?

-Yes. See [Protect macOS security settings with tamper protection](tamperprotection-macos.md).

-## How do I turn tamper protection on or off?

-If you're an organization using [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint), you can choose from several options to manage tamper protection:

-> [!IMPORTANT]

-> If you're using Group Policy, keep in mind that any changes you make to tamper protected settings will be ignored. You can't use Group Policy to enable or disable tamper protection. Use Intune, the Microsoft 365 Defender portal, or Configuration Manager to manage tamper protection.

-For more information, see [How do I configure or manage tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md#how-do-i-configure-or-manage-tamper-protection)?

-## Tamper protection is preventing my security team from managing a device. What should we do?

-If tamper protection prevents your IT or security team from performing a necessary task on a device, consider using [troubleshooting mode](enable-troubleshooting-mode.md). We recommend keeping tamper protection turned on for your organization.

-## Can I change individual tamper-protected settings?

-If tamper protection is turned on for your organization, you won't be able to make changes to individual settings that are tamper protected.

-If you're using [Intune](manage-tamper-protection-intune.md) or [Configuration Manager](manage-tamper-protection-configuration-manager.md), you can exclude devices from tamper protection. And if you're using Intune, you can edit exclusions for Microsoft Defender Antivirus. See [Tamper protection for antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions).

-## Does tamper protection apply to Microsoft Defender Antivirus exclusions?

-New functionality is rolling out now to protect Microsoft Defender Antivirus exclusions on devices that are managed by Intune. Certain conditions must be met. See [Tamper protection for antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions).

-## How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus with Group Policy?

-If you're currently using Intune to configure and manage tamper protection, you should continue using Intune.

-When tamper protection is turned on, and you use Group Policy to make changes to Microsoft Defender Antivirus settings, any changes to settings that are tamper protected will be ignored. See [What happens when tamper protection is turned on](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on)?

-## If we use Microsoft Intune to configure tamper protection, does it apply only to the entire organization?

-If you're using Intune to configure and manage tamper protection, you can target your entire organization, or select specific devices and user groups.

-## What settings can't be changed when tamper protection is turned on?

-When tamper protection is turned on, tamper-protected settings can't be changed from their default value, even if you're using Intune or Configuration Manager to manage your security settings. Changes might appear to be successful in Intune or Configuration Manager, but won't actually be allowed by tamper protection. For a list of settings, see [What happens when tamper protection is turned on](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on)?

-## If tamper protection is turned on in Microsoft 365 Defender, can Intune override it?

-A tamper protection policy defined in Intune can override tamper protection that is turned on in the Microsoft 365 Defender portal. Policies defined in Intune take priority. Affected devices must be part of a device group that is included in the Intune policy.

-## How do I deploy DisableLocalAdminMerge?

-Use Intune to deploy [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp).

-## How can I confirm whether exclusions are tamper protected on a Windows device?

-See [How to determine whether antivirus exclusions are tamper protected on a Windows device](manage-tamper-protection-intune.md#how-to-determine-whether-antivirus-exclusions-are-tamper-protected-on-a-windows-device).

-## Can I configure tamper protection with Microsoft Configuration Manager?

-If you're using tenant attach, you can use Microsoft Configuration Manager. See the following resources:

-## Will tamper protection affect non-Microsoft antivirus registration in the Windows Security app?

-No. Non-Microsoft antivirus offerings will continue to register with the Windows Security application.

-## What happens if Microsoft Defender Antivirus isn't active on a device?

-Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. In these cases, tamper protection will continue to protect the service and its features.

-## What subscriptions include tamper protection?

-Tamper protection is included in the following subscriptions:

-If your subscription includes Intune, you can use Intune to configure tamper protection. You can also turn tamper protection on tenant-wide using the Microsoft 365 Defender portal. See [Use PowerShell to determine whether tamper protection and real-time protection are turned on](prevent-changes-to-security-settings-with-tamper-protection.md#use-powershell-to-determine-whether-tamper-protection-and-real-time-protection-are-turned-on).

-## I'm an enterprise customer. Can local admins change tamper protection on their devices?

-In general, tamper protection helps protect against users being able to change security settings directly on devices. Tamper protection is part of anti-tampering capabilities that include [standard protection attack surface reduction rules](attack-surface-reduction-rules-reference.md). To further prevent malware from running in kernel, consider using [driver block rules with Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules).

-## What happens if my device is onboarded to Defender for Endpoint and then goes into an off-boarded state?

-If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.

-## If the status of tamper protection changes, are alerts shown in the Microsoft 365 Defender portal?

-Alerts should be listed in the [Microsoft 365 Defender portal](https://security.microsoft.com) under **Incidents**.

-Your security operations team can also use hunting queries, such as the following example:

-`AlertInfo|where Title == "Tamper Protection bypass"`

-## Does tamper protection require cloud protection?

-

-Depending on the method or management tool you use to enable tamper protection, there might be a dependency on [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md). Cloud-delivered protection is also referred to as cloud protection, or Microsoft Advanced Protection Service (MAPS). The following table summarizes whether there's a dependency on cloud protection.

-| How tamper protection is enabled | Dependency on cloud protection? |

-|||

-| Microsoft Intune | No |

-| Microsoft Configuration Manager with Tenant Attach | No |

-| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Yes |

-## See also

-If you're looking for Antivirus related information for other platforms, see:

-ms.pagetype: security

-ms.sitesec: library

-To get your regular security intelligence updates, the Windows Update service must be running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.

-If you're using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode. If your Windows Server endpoint is onboarded to Microsoft Defender for Endpoint, you can set Microsoft Defender Antivirus to passive mode. If you're not using Microsoft Defender for Endpoint, set Microsoft Defender Antivirus to disabled mode.

-| Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard | See [Install or Uninstall Roles, Role Services, or Features](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. <br/><br/>When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option. <br/><br/> If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you'll be prompted to remove the interface option **GUI for Windows Defender**.<br/><br/>Microsoft Defender Antivirus will still run normally without the user interface, but the user interface can't be enabled if you disable the core **Windows Defender** feature. |

-If your Windows Server is onboarded to Microsoft Defender for Endpoint, you can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and Windows Server 2016. See the following articles:

->

-> - The latest available data is 3 to 4 days old.