Tamper protection is a control that helps prevent malware or unauthorized users from disabling or weakening endpoint security tools and settings.
Tamper protection is a control that helps prevent malware or unauthorized users from disabling or weakening endpoint security tools and settings. In plain language, it makes it harder for an attacker to turn off the very protections that are supposed to detect or stop them.
Tamper protection matters because many threats try to blind defenders before doing anything else. If an attacker can disable antivirus, EDR, logging, or security policies easily, later controls become less reliable.
It also matters because endpoint protection is only useful when it can resist casual or malicious interference.
Tamper protection appears in Anti-Malware, Endpoint Detection and Response, device management, privileged admin policy, and Device Hardening. Teams connect it to Secure Boot, Endpoint Isolation, and Patch Management.
It is a practical control for making endpoint defenses more resilient under active attack.
A workstation security agent is configured so normal users and unapproved processes cannot stop the service, uninstall it, or change core protection settings without a stronger administrative control path.
Tamper protection is not the same as Secure Boot. Secure Boot protects trust early in startup, while tamper protection focuses on keeping active security controls from being disabled during normal system operation.
It is also not a substitute for monitoring. It reduces one kind of attack path, but defenders still need telemetry and response capability.