Disable Tamper Protection

4 min. readlast update: 06.18.2024

Overview

Tamper Protection is a system which prevents malicious actors, end users, and other security software attempting to modify, stop, or delete ThreatLocker files and services. Offboarding or troubleshooting may require Tamper Protection to be disabled temporarily.  

Disabling Tamper Protection for a Single Computer

  1. Navigate to the Computers page in the ThreatLocker Portal
  2. Click on a computer name to open the 'View/Edit Computer' side panel
  3. Navigate to the Maintenance tab 
  4. Select 'Disable Tamper Protection' from the 'Maintenance Type' dropdown
  5. Start the maintenance mode with the 'Schedule Maintenance' button at the bottom of the side panel. 

undefined

 

 

undefined

 

 

Disabling Tamper Protection for Multiple Machines Simultaneously 

  1. Navigate to the Computers page in the ThreatLocker Portal
  2. Select the check box beside all machines for which you are attempting to disable Tamper Protection
  3. Select the 'Schedule Maintenance' button to prompt the 'Schedule Maintenance' popup to appear
  4. Specify the start/end date, if desired, choose 'Disable Tamper Protection' from the 'Mode Options' dropdown, and choose whether the user can end the schedule from the computer
  5. Click 'Start Maintenance' to disable protection

 

undefined

Re-enabling Tamper Protection

The red exclamation point within a red octagon icon confirms Tamper Protection Disabled maintenance mode is currently scheduled. This can be found in the maintenance history when viewing a machine. Clicking this icon will end the maintenance mode. A red 'Tamper Protection Disabled' tag will be displayed for the machine as well. 

undefined

 

You can enable the option 'Allow the user to end the schedule from the Computer' to create a tray popup on the machine. This indicates that the maintenance mode is active on the machine and gives technicians access to re-enable protection on the machine. 

Re-enabling Tamper Protection for Multiple Machines Simultaneously

  1. Navigate to the Computers page in the ThreatLocker Portal
  2. Select the check box beside all machines for which you are attempting to re-enable protection on.  
  3. Click the 'Secure Mode' button. This will also end any other maintenance modes, including Installation, Learning, or Monitor mode. 

undefined

 

 

Legacy Portal

Please note that disabling Tamper Protection will place computers that are in Learning Mode into Secured Mode. To avoid this, computers should be placed into Monitor Only Mode before disabling Tamper Protection.

 

Disabling Tamper Protection For a Single Computer

  • Log into the ThreatLocker Portal.
  • Navigate to the Computers page from the left menu.

undefined

 

If the PC is currently in Learning Mode and you wish to avoid it going into Secured Mode, change the status to Monitor Only in the quick dropdown menu before you attempt to disable Tamper Protection.

undefined

 

  • Select 'Maintenance Mode' on the desired PC.

undefined

 

  • The next popup will pull up the maintenance schedule window.
  • Click the dropdown for 'Maintenance Type' shown below.

undefined

  • Navigate to 'Tamper Protection Disabled' mode.

undefined

 

  • Finally, click 'Add Maintenance Schedule' in order to finish disabling Tamper Protection.
Note: The 'End' button (as shown with red box below) confirms a Tamper Protection Disabled maintenance mode is currently in use.

undefined

 

Additional Note: File and registry permissions will take effect on next check-in. For the service and driver permissions you will need to restart the service.

 

Disabling Tamper Protection For Multiple Computers at Once

  • Log into the ThreatLocker Portal.
  • Navigate to the Computers page from the left menu. 

undefined

  • For PCs in Learning Mode, Monitor Only Mode will need to be enabled first.
  • Select the checkbox next to the computers you will be changing to Monitor Only Mode, or select the checkbox at the top of the page to select all PCs on that page.

undefined

 

  • Next, select the 'Disable Protection' button at the top of the screen.

undefined

 

  • Select Monitor Only from the dropdown menu.

undefined

 

  • Click the 'Start' button.

undefined

 

  • All the PCs you had selected will be in Monitor Only Mode and you can proceed with disabling Tamper Protection.

undefined

 

  • Select the checkbox next to the PCs you want to disable Tamper Protection on or select the checkbox at the top to select all PCs on the current page.

undefined

 

  • Click the 'Disable Protection' button at the top of the page.

undefined

 

  • Select Disable Tamper Protection from the dropdown menu and then click the 'Start' button.

undefined

 

  • Tamper Protection is now disabled for all PCs you have selected.

undefined

 

Enabling Learning Mode for Multiple Computers at Once

  • To place your PCs back into Learning Mode, select the checkbox next to the PCs you want to place into Learning Mode, and then select the 'Disable Protection' button at the top of the screen.
  • Set your desired ending time for the Learning Mode. Choose Learning based on Group settings from the dropdown menu.  
  • Click 'Start'.

undefined

  • All selected PCs will be placed into Learning Mode until the date/time you selected.
Was this article helpful?