Manage tamper protection for your organization using Microsoft Intune

Applies to:

Platforms

  • Windows

Tamper protection helps protect certain security settings, such as virus and threat protection, from being disabled or changed. If you're part of your organization's security team, and you're using Microsoft Intune, you can manage tamper protection for your organization in the Intune admin center.

Using Intune, you can:

Important

If you're using Microsoft Intune to manage Defender for Endpoint settings, make sure to set DisableLocalAdminMerge to true on devices.

When tamper protection is turned on, tamper-protected settings cannot be changed. To avoid breaking management experiences, including Intune (and Configuration Manager), keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available:

  • If you must make changes to a device and those changes are blocked by tamper protection, we recommend using troubleshooting mode to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
  • You can use Intune or Configuration Manager to exclude devices from tamper protection.
  • If you're managing tamper protection through Intune, you can change tamper-protected antivirus exclusions.

Requirements for managing tamper protection in Intune

  • You must have appropriate permissions assigned through roles, such as Global Administrator or Security Administrator. (See Azure Active Directory roles with Intune access.)

  • Your organization uses Intune to manage devices. (Intune licenses are required; Intune is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, Microsoft 365 Business Premium, Microsoft 365 F1/F3, Microsoft 365 Government G3/G5, and corresponding education licenses.)

  • Windows devices must be running Windows 10 version 1709 or later or Windows 11. (For more information about releases, see Windows release information.)

  • You must be using Windows security with security intelligence updated to version 1.287.60.0 (or later).

  • Devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or later). (See Manage Microsoft Defender Antivirus updates and apply baselines.)

  • Your Intune and Defender for Endpoint tenants must share the same Azure Active Directory infrastructure.

  • Your devices must be onboarded to Defender for Endpoint.

Note

If devices are not enrolled in Microsoft Defender for Endpoint, tamper protection shows up as Not Applicable until the onboarding process completes. Tamper protection can prevent changes to security settings from occurring. If you see an error code with Event ID 5013, see Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus.

Turn tamper protection on (or off) in Microsoft Intune

Turn tamper protection turned on with Intune

  1. In the Intune admin center, go to Endpoint security > Antivirus, and then choose + Create Policy.

    • In the Platform list, select Windows 10, Windows 11, and Windows Server.
    • In the Profile list, select Windows Security experience.
  2. Create a profile that includes the following setting:

    • TamperProtection (Device): On
  3. Finish selecting options and settings for your policy.

  4. Deploy the policy to devices.

Tamper protection for antivirus exclusions

If your organization has exclusions defined for Microsoft Defender Antivirus, tamper protection protects those exclusions, provided all of the following conditions are met:

Tip

For more detailed information about Microsoft Defender Antivirus exclusions, see Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.

How to determine whether antivirus exclusions are tamper protected on a Windows device

You can use a registry key to determine whether the functionality to protect Microsoft Defender Antivirus exclusions is enabled. The following procedure describes how to view, but not change, tamper protection status.

  1. On a Windows device open Registry Editor. (Read-only mode is fine; you're not editing the registry key.)

  2. To confirm that the device is managed by Intune only, go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender (or HKLM\SOFTWARE\Microsoft\Windows Defender), and look for a REG_DWORD entry called ManagedDefenderProductType.

    • If ManagedDefenderProductType has a value of 6, then the device is managed by Intune only (this value is required for exclusions to be tamper protected).
    • If ManagedDefenderProductType has a value of 7, then the device is co-managed, such as by Intune and Configuration Manager (this value indicates that exclusions are not currently tamper protected).
  3. To confirm that tamper protection is deployed and that exclusions are tamper protected, go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features (or HKLM\SOFTWARE\Microsoft\Windows Defender\Features), and look for a REG_DWORD entry called TPExclusions.

    • If TPExclusions has a value of 1, then all required conditions are met, and the new functionality to protect exclusions is enabled on the device. In this case, exclusions are tamper protected.
    • If TPExclusions has a value of 0, then tamper protection isn't currently protecting exclusions on the device. (If you meet all the requirements and this state seems incorrect, contact support.)

Caution

Do not change the value of the registry keys. Use the preceding procedure for information only. Changing keys has no effect on whether tamper protection applies to exclusions.

See also