https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
Abstract: If you execute malware with an administrative user, your data is almost lost - but alas, there is still windows defender, which, with its tamper protection cannot be deactivated without manual interaction by the admin himself. But what about safe mode? If the ransomware can modify the boot options, it can restart the machine to safe mode and defender is off, there.
Now for my 2 cents: safe mode cannot be reached without suspending bitlocker, first. So why would Microsoft not add a tamper protection to bitlocker as well? That's worth considering, Microsoft!