Category filter
Enabling Windows Tamper Protection in Managed Environments
Purpose of this Document
This document outlines the steps required to enable Microsoft Defender Tamper Protection for Windows devices managed using Hexnode UEM. While Hexnode provides comprehensive management of Microsoft Defender Antivirus configurations, Tamper Protection is a protected security feature. To prevent unauthorized modification, it cannot be managed via third-party MDM solutions and must be configured directly within the Microsoft Defender for Endpoint portal.
What is Tamper Protection?
Tamper Protection is a security-hardening feature in Microsoft Defender Antivirus that prevents unauthorized or unintended changes to critical security settings. Once enabled, it blocks attempts—by malicious software, scripts, or even local administrators—to:
- Disable real-time protection
- Turn off cloud-delivered protection
- Modify security intelligence update settings
- Change Defender configurations via registry edits or PowerShell
As of 2026, Tamper Protection remains a tenant-wide setting managed exclusively through the Microsoft Defender portal to preserve security integrity. It cannot be configured via Hexnode UEM policies.
Prerequisites
| Category | Requirement |
|---|---|
| Administrative Roles | Global Administrator or Security Administrator permissions in Microsoft Defender |
| Device Onboarding | Devices must be onboarded to Microsoft Defender for Endpoint |
| Supported Operating Systems |
|
| Defender Platform Version | Anti-malware platform version 4.18.2010.7 or later |
| Defender Engine Version | Anti-malware engine version 1.1.17600.5 or later |
| Security Configuration | Cloud-delivered protection must be enabled |
Tamper Protection behavior in Hexnode-managed environments
Tamper Protection, when enabled, prevents modification of critical Microsoft Defender settings on the device-end. While Hexnode UEM can continue to deploy and manage Defender configurations via policies, those settings become locked at the operating system level and cannot be overridden or disabled. Any attempt to modify protected settings through local administrative tools, scripts, or registry edits is automatically blocked. This design ensures that even privileged users or malicious processes cannot weaken endpoint security.
Enabling Tamper Protection via Microsoft Defender Portal
Follow the steps below to enable Tamper Protection across your organization.
Step 1: Sign In to Microsoft Defender
Access the Microsoft Defender portal and sign in using an account with the required administrative permissions.
Step 2: Navigate to Endpoint Settings
From the left navigation pane, go to: Settings > Endpoints.
Step 3: Open Advanced Features
Under the General section, select Advanced features.
Step 4: Enable Tamper Protection
- Locate Tamper protection in the feature list.
- Toggle the setting to On.
Step 5: Save the configuration
Click Save preferences to apply the setting tenant-wide.
The changes may take some time to propagate to all devices.
Verifying Tamper Protection Status on Devices
Once enabled, verify the status using one of the methods below.
Option 1: PowerShell Verification (Recommended)
Run the following command in an elevated PowerShell window:
|
1 |
Get-MpComputerStatus | Select IsTamperProtected |
Expected results:
- True — Tamper Protection is enabled and active
- False — The device has not yet synced or does not meet prerequisites
Option 2: Windows Security App
- Open Windows Security
- Navigate to Virus & threat protection.
- Select Manage settings.
- Locate Tamper Protection
If enabled, the setting will:
- Display as On.
- Appear greyed out preventing user interaction.
- Show a message such as “This setting is managed by your administrator”
Key Takeaways
- Tamper Protection is a Defender-controlled, tenant-wide security feature.
- Once enabled, it serves as an additional layer of protection for Microsoft Defender configurations enforced via Hexnode Microsoft Defender policy.
- This setup ensures maximum resistance against security tampering at the endpoint level.
