How to Enable Tamper Protection for Your Organization Using Microsoft Intune

Configure and deploy tamper protection settings through Microsoft Intune's Endpoint Security Antivirus Policy to prevent unauthorized modifications to Microsoft Defender Antivirus across your organization's managed devices.

Emanuel DE ALMEIDA

3/16/2026 15 min 0

hardintune 10 steps 15 min

Why Deploy Tamper Protection Through Microsoft Intune?

Tamper protection represents a critical security control that prevents unauthorized modifications to Microsoft Defender Antivirus settings, even by users with local administrator privileges. In today's threat landscape, attackers frequently attempt to disable security controls as part of their attack chain, making tamper protection an essential defensive measure.

Microsoft Intune provides the most robust method for deploying tamper protection across your organization. Unlike tenant-wide settings in the Defender portal, Intune policies offer granular control, allowing you to target specific device groups and combine tamper protection with other security configurations. The integration also provides comprehensive reporting and monitoring capabilities that are essential for enterprise security management.

What Makes Intune-Based Tamper Protection Different?

When you deploy tamper protection through Intune's Endpoint Security Antivirus policies, you gain several advantages over other deployment methods. The policy-based approach ensures consistent application across all managed devices, while the Windows Security Experience profile provides access to advanced tamper protection features that aren't available through basic configuration methods.

This tutorial will guide you through the complete process of creating, deploying, and verifying tamper protection policies using Microsoft Intune. You'll learn how to configure the policies correctly, monitor deployment success, and verify that protection is working as expected. We'll also cover advanced configurations like exclusion protection and troubleshooting scenarios that may arise in enterprise environments.

Implementation Guide

Full Procedure

Access Microsoft Intune Admin Center and Navigate to Antivirus Policies

Start by logging into the Microsoft Intune admin center where you'll create and manage your tamper protection policy.

Open your web browser and navigate to https://intune.microsoft.com. Sign in with your Global Administrator or Intune Administrator credentials.

Once logged in, navigate to Endpoint security in the left navigation pane, then select Antivirus. You can also access this directly at https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/antivirus.

Pro tip: Bookmark the direct Antivirus URL for faster access during future policy management tasks.

Verification: You should see the Antivirus policies dashboard with options to create new policies and view existing ones.

Create a New Antivirus Policy for Tamper Protection

Now you'll create a new antivirus policy specifically designed to enable tamper protection across your organization.

Click + Create Policy in the Antivirus policies dashboard. In the policy creation wizard, you'll need to select the appropriate platform and profile:

Platform: Select Windows 10 and later
Profile: Choose Windows Security experience

Click Create to proceed to the policy configuration.

Warning: Make sure you select "Windows Security experience" profile, not "Microsoft Defender Antivirus" profile, as tamper protection settings are located in the former.

Verification: The policy creation wizard should open with the "Basics" tab active, ready for you to configure policy details.

Configure Basic Policy Information

Configure the fundamental details of your tamper protection policy to ensure proper identification and management.

On the Basics tab, fill in the following information:

Name: Enter a descriptive name like "Enable Tamper Protection - Organization Wide"
Description: Add a detailed description such as "Prevents unauthorized modifications to Microsoft Defender Antivirus settings and exclusions across all managed devices"

Click Next to proceed to the configuration settings.

Pro tip: Use a consistent naming convention for your policies that includes the purpose and scope. This makes policy management much easier as your environment grows.

Verification: The "Configuration settings" tab should now be active, showing various security settings you can configure.

Enable Tamper Protection in Policy Settings

This is the core step where you'll actually enable tamper protection to prevent unauthorized changes to Defender settings.

On the Configuration settings tab, locate the Defender section. You'll find several settings here, but focus on the tamper protection option:

Find Tamper protection (device)
Set the value to On

Leave other settings at their default values unless you have specific organizational requirements. The tamper protection setting is the primary focus of this policy.

Click Next to continue to scope tags configuration.

Warning: Once tamper protection is enabled, you won't be able to modify protected settings through local means. Always ensure you have proper administrative access through Intune before deploying.

Verification: Confirm that "Tamper protection (device)" shows "On" before proceeding to the next step.

Configure Scope Tags and Assignments

Define which devices and users will receive this tamper protection policy through proper assignment configuration.

On the Scope tags tab, you can typically leave the default scope tag selected unless your organization uses specific scope tags for security policies. Click Next to proceed.

On the Assignments tab, configure who receives this policy:

Include: Select All users and All devices for organization-wide deployment
Alternatively, select Selected groups if you want to target specific security groups
Ensure the Target type is set to Include

For most organizations, deploying to all devices is recommended for comprehensive protection.

Click Next to proceed to the final review.

Pro tip: Consider starting with a pilot group of devices before rolling out organization-wide. This allows you to test the policy impact and troubleshoot any issues.

Verification: Review your assignment settings to ensure the correct scope is selected for your deployment strategy.

Review and Deploy the Tamper Protection Policy

Complete the policy creation process and deploy it to your selected devices.

On the Review + create tab, carefully review all your policy settings:

Verify the policy name and description
Confirm tamper protection is set to "On"
Check assignment scope matches your intentions

Once you've verified all settings are correct, click Create to deploy the policy.

The policy will now be created and begin deploying to assigned devices. This process typically takes 15-30 minutes for devices to receive and apply the policy.

Warning: Once deployed, this policy will prevent local administrators from disabling tamper protection or modifying protected Defender settings. Ensure your IT team understands this change.

Verification: You should see the new policy listed in your Antivirus policies dashboard with a "Created" status.

Monitor Policy Deployment Status

Track the deployment progress and ensure the tamper protection policy is successfully applied to your devices.

Return to Endpoint security > Antivirus in the Intune admin center. Click on your newly created tamper protection policy to view its deployment status.

In the policy overview, you'll see several key metrics:

Assignment status: Shows how many devices have received the policy
Device status: Displays success, pending, and error counts
User status: Shows user-level deployment information

Click on Device status to see detailed per-device information. Look for devices showing "Success" status, which indicates tamper protection has been successfully enabled.

Pro tip: Set up automated reports or check the deployment status daily for the first week to catch any deployment issues early.

Verification: Most devices should show "Success" status within 1-2 hours of policy deployment. Investigate any devices showing "Error" or "Pending" status.

Verify Tamper Protection on Individual Devices

Confirm that tamper protection is actually working on your managed devices using PowerShell verification.

On a test device that received the policy, open PowerShell as an administrator and run the following command:

Get-MpComputerStatus | Select-Object IsTamperProtected

This command should return True if tamper protection is successfully enabled.

You can also verify through the Windows Security app:

Open Windows Security from the Start menu
Navigate to Virus & threat protection
Click on Manage settings under "Virus & threat protection settings"
Verify that protected settings show as managed and cannot be modified

Additionally, check the registry for confirmation:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name "ManagedDefenderProductType"

This should return a value of 6, indicating the device is managed by Intune.

Pro tip: Create a simple PowerShell script to check tamper protection status across multiple devices remotely using Invoke-Command for large-scale verification.

Verification: The PowerShell command should return IsTamperProtected : True and Windows Security should show settings as protected.

Configure Exclusion Protection (Optional but Recommended)

Enhance your tamper protection by preventing local administrators from adding antivirus exclusions that could weaken security.

Create an additional antivirus policy to protect exclusions. Navigate back to Endpoint security > Antivirus and create a new policy:

Platform: Windows 10 and later
Profile: Microsoft Defender Antivirus

In the configuration settings, locate the Defender section and configure:

Disable Local Admin Merge: Set to Yes

This setting prevents local administrators from adding their own exclusions to the antivirus configuration, ensuring that only Intune-managed exclusions are applied.

Deploy this policy to the same groups as your tamper protection policy for consistent security coverage.

Warning: Enabling DisableLocalAdminMerge will prevent local IT staff from adding emergency exclusions. Ensure you have a process for managing exclusions through Intune.

Verification: Test on a device by attempting to add a local exclusion as an administrator - it should be blocked or ignored.

Test Tamper Protection Effectiveness

Validate that your tamper protection implementation is working correctly by attempting to modify protected settings.

On a test device with tamper protection enabled, attempt to perform actions that should be blocked:

Try disabling real-time protection: Open Windows Security and attempt to turn off real-time protection. This should be prevented.
Test PowerShell modifications: Run the following command as administrator:

Set-MpPreference -DisableRealtimeMonitoring $true

This command should fail or have no effect due to tamper protection.

Attempt registry modifications: Try to modify Defender settings directly in the registry - these changes should be blocked or reverted.

If you need to temporarily disable tamper protection for troubleshooting, use the troubleshooting mode feature in the Microsoft Defender portal:

Access the Defender portal at https://security.microsoft.com
Navigate to device management and enable troubleshooting mode for specific devices
This provides temporary access while maintaining audit logs

Pro tip: Document your testing results and create a troubleshooting guide for your IT team that explains how to use troubleshooting mode when legitimate changes are needed.

Verification: All attempts to modify protected settings should fail, and the device should maintain its security configuration despite administrative attempts to change it.

Frequently Asked Questions

What happens if tamper protection blocks legitimate IT changes in Microsoft Defender?+

If tamper protection prevents legitimate administrative changes, you can use troubleshooting mode in the Microsoft Defender portal. Navigate to security.microsoft.com, access device management, and enable troubleshooting mode for specific devices. This temporarily disables tamper protection while maintaining audit logs. Always remember to disable troubleshooting mode after completing your changes to restore full protection.

Can local administrators bypass Intune tamper protection settings?+

No, local administrators cannot bypass tamper protection once it's enabled through Intune policy. This is the primary purpose of tamper protection - to prevent even privileged users from disabling security controls. However, you can configure the DisableLocalAdminMerge setting to prevent local admins from adding antivirus exclusions, providing an additional layer of protection against unauthorized modifications.

How long does it take for tamper protection policy to apply to devices?+

Tamper protection policies typically apply to devices within 15-30 minutes of deployment through Intune. The exact timing depends on the device's check-in schedule with Intune and network connectivity. You can verify successful application using PowerShell command Get-MpComputerStatus | Select-Object IsTamperProtected, which should return True when protection is active.

What licensing is required for tamper protection through Intune?+

Tamper protection requires Microsoft Defender for Endpoint licensing (P1, P2, or Business plans) along with Microsoft Intune licensing. Devices must be onboarded to Defender for Endpoint and enrolled in Intune MDM. The feature works on Windows 10 and Windows 11 devices running Microsoft Defender Antivirus as the primary antivirus solution.

Does tamper protection affect third-party antivirus software management?+

Tamper protection specifically protects Microsoft Defender Antivirus settings and doesn't directly interfere with third-party antivirus solutions. However, if you're running Microsoft Defender alongside third-party antivirus (passive mode), tamper protection will still protect Defender's configuration. For organizations using third-party antivirus as primary protection, ensure Microsoft Defender is properly configured in passive mode before enabling tamper protection.

Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Further Intelligence

Deepen your knowledge with related resources

How to Block JavaScript and VBScript from Launching Downloaded Executables in Intune

tutorial

Cybersecurity

How to Block JavaScript and VBScript from Launching Downloaded Executables in Intune

Deep Dive

tutorial

Cybersecurity