Manage tamper protection for your organization using Microsoft Intune
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
- Microsoft Defender for Business
- Microsoft 365 Business Premium
Platforms
- Windows
Tamper protection helps protect certain security settings, such as virus and threat protection, from being disabled or changed. If you're part of your organization's security team, and you're using Microsoft Intune, you can manage tamper protection for your organization in the Intune admin center.
Using Intune, you can:
- Turn tamper protection on (or off) for some or all devices.
- Tamper protect antivirus exclusions that are defined for Microsoft Defender Antivirus.
Important
If you're using Microsoft Intune to manage Defender for Endpoint settings, make sure to set DisableLocalAdminMerge to true on devices.
When tamper protection is turned on, tamper-protected settings cannot be changed. To avoid breaking management experiences, including Intune (and Configuration Manager), keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available:
- If you must make changes to a device and those changes are blocked by tamper protection, we recommend using troubleshooting mode to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
- You can use Intune or Configuration Manager to exclude devices from tamper protection.
- If you're managing tamper protection through Intune, you can change tamper-protected antivirus exclusions.
Requirements for managing tamper protection in Intune
You must have appropriate permissions assigned through roles, such as Global Administrator or Security Administrator. (See Azure Active Directory roles with Intune access.)
Your organization uses Intune to manage devices. (Intune licenses are required; Intune is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, Microsoft 365 Business Premium, Microsoft 365 F1/F3, Microsoft 365 Government G3/G5, and corresponding education licenses.)
Windows devices must be running Windows 10 version 1709 or later or Windows 11. (For more information about releases, see Windows release information.)
You must be using Windows security with security intelligence updated to version 1.287.60.0 (or later).
Devices must be using anti-malware platform version
4.18.1906.3
(or above) and anti-malware engine version1.1.15500.X
(or later). (See Manage Microsoft Defender Antivirus updates and apply baselines.)Your Intune and Defender for Endpoint tenants must share the same Azure Active Directory infrastructure.
Your devices must be onboarded to Defender for Endpoint.
Note
If devices are not enrolled in Microsoft Defender for Endpoint, tamper protection shows up as Not Applicable until the onboarding process completes. Tamper protection can prevent changes to security settings from occurring. If you see an error code with Event ID 5013, see Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus.
Turn tamper protection on (or off) in Microsoft Intune
In the Intune admin center, go to Endpoint security > Antivirus, and then choose + Create Policy.
- In the Platform list, select Windows 10, Windows 11, and Windows Server.
- In the Profile list, select Windows Security experience.
Create a profile that includes the following setting:
- TamperProtection (Device): On
Finish selecting options and settings for your policy.
Deploy the policy to devices.
Tamper protection for antivirus exclusions
If your organization has exclusions defined for Microsoft Defender Antivirus, tamper protection protects those exclusions, provided all of the following conditions are met:
Devices are running Windows Defender platform
4.18.2211.5
or later. (See Monthly platform and engine versions.)DisableLocalAdminMerge
is enabled. (See DisableLocalAdminMerge.)Tamper protection is deployed through Intune, and devices are managed in Intune only.
Microsoft Defender Antivirus exclusions are managed in Microsoft Intune. (See Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices.)
Functionality to protect Microsoft Defender Antivirus exclusions is enabled on devices. (See How to determine whether antivirus exclusions are tamper protected on a Windows device.)
Tip
For more detailed information about Microsoft Defender Antivirus exclusions, see Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
How to determine whether antivirus exclusions are tamper protected on a Windows device
You can use a registry key to determine whether the functionality to protect Microsoft Defender Antivirus exclusions is enabled. The following procedure describes how to view, but not change, tamper protection status.
On a Windows device open Registry Editor. (Read-only mode is fine; you're not editing the registry key.)
To confirm that the device is managed by Intune only, go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
(orHKLM\SOFTWARE\Microsoft\Windows Defender
), and look for aREG_DWORD
entry called ManagedDefenderProductType.- If ManagedDefenderProductType has a value of
6
, then the device is managed by Intune only (this value is required for exclusions to be tamper protected). - If ManagedDefenderProductType has a value of
7
, then the device is co-managed, such as by Intune and Configuration Manager (this value indicates that exclusions are not currently tamper protected).
- If ManagedDefenderProductType has a value of
To confirm that tamper protection is deployed and that exclusions are tamper protected, go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
(orHKLM\SOFTWARE\Microsoft\Windows Defender\Features
), and look for aREG_DWORD
entry called TPExclusions.- If TPExclusions has a value of
1
, then all required conditions are met, and the new functionality to protect exclusions is enabled on the device. In this case, exclusions are tamper protected. - If TPExclusions has a value of
0
, then tamper protection isn't currently protecting exclusions on the device. (If you meet all the requirements and this state seems incorrect, contact support.)
- If TPExclusions has a value of
Caution
Do not change the value of the registry keys. Use the preceding procedure for information only. Changing keys has no effect on whether tamper protection applies to exclusions.
See also
Feedback
Submit and view feedback for