Windows Defender tamper protection management in Microsoft Intune
Published Sep 23 2019 11:46 PM 14.6K Views

This month we’ve released Windows Defender tamper protection management in Microsoft Intune!


Tamper protection is a new setting available in the Windows Security app which adds additional protections against change to key Windows Defender security features.


Enabling this feature prevents others (including malicious apps) from changing/disabling important protection features such as:

  • Real-time protection, which is the core antimalware scanning feature of Microsoft Defender ATP next gen protection and should rarely, if ever, be disabled
  • Cloud-delivered protection, which uses our cloud-based detection and prevention services to block never-before seen malware within seconds
  • IOAV, which handles the detection of suspicious files from the Internet
  • Behavior monitoring, which works with real-time protection to analyze and determine if active processes are behaving in a suspicious or malicious way and blocks them

The feature also prevents the deletion of security intelligence updates and the disabling of the entire antimalware solution.


Enterprise management of this feature via Intune requires an E5 license (such as those with a Microsoft Defender ATP license) and the device be MDM enrolled into Intune. The feature is available on Windows 10 1903 Enterprise devices, and we’re looking at backporting the feature to down level Windows clients later this year.


Before you can enable the setting, you need to connect Microsoft Defender ATP to Intune. To do this,  browse to and visit Settings > Advanced features. Turn the Microsoft Intune connection on and press save.


Enable Intune in MDATP.png


Next, browse to the Microsoft Intune console. To enable Windows Defender tamper protection, create an Endpoint Protection policy in Intune and enable the Tamper protection feature.


Enable Tamper Protection in Intune.png


Assign this policy to a user or device group, and tamper protection will be enabled.

To disable the feature, change the setting to Disabled and deploy the policy to the target devices.

Note: Not configured will not change the state of a previously deployed configuration. To disable tamper protection, you must deploy a Disabled policy state.


For more information on the Windows Defender tamper protection feature, visit


Matt Shadbolt 

Senior Program Manager

Microsoft Intune 

Version history
Last update:
‎Nov 30 2023 04:15 PM
Updated by: