When ransomware—or a “helpful” local admin—tries to turn off antivirus, you need a switch they can’t flip. Microsoft Defender’s Tamper Protection locks critical security settings so they can only be changed by your security team, not from the device. This step-by-step guide shows SMB admins exactly how to enable it with Intune, how to toggle it tenant-wide in Microsoft 365 Defender, and how to verify it’s working.

Why Tamper Protection matters for SMBs

• Blocks local changes to key Defender settings (apps, registry, services, PowerShell, Group Policy) so attackers and users can’t disable protections before an attack detonates.

• Flexible management paths: enforce per-group with Intune or turn on tenant-wide in the Defender portal (great for quick wins).

Prerequisites

• Licensing & management: Devices onboarded to Microsoft Defender for Endpoint and managed via Intune.

• Permissions: Security admin/appropriate RBAC to change portal settings.

• Where to configure: Intune admin center (granular assignments) or Microsoft Defender portal (tenant-wide).

Option A (recommended): Enable via Intune for scoped, policy-based control

1. Go to Intune admin center → Endpoint security → Antivirus → + Create policy.

2. Platform: Windows 10, Windows 11, and Windows Server. Profile: Windows security experience.

3. Set Tamper protection = On.

4. Assign to pilot device group → Create → monitor deployment status, then roll out broadly.

Why this path? Intune lets you target specific users/devices, align with your baselines, and keep local admins from turning it off. Microsoft Learn

Option B: Turn it on tenant-wide in Microsoft 365 Defender (fastest)

1. In Microsoft Defender portal go to Settings → Endpoints → Advanced features.

2. Toggle Tamper protection = On and Save.

   • For many new deployments, management in the Defender portal is enabled by default as part of built-in protection; existing tenants may need to opt in.

Verify it’s actually on

On a target device:

1. Open the Windows PowerShell app.

2. Use the Get-MpComputerStatus PowerShell cmdlet.

3. In the list of results, look for IsTamperProtected (A value of true means tamper protection is enabled.)

How PlexHosted can help

As a Microsoft Cloud MSSP, we help strengthen your overall security posture—standardizing protections across endpoints and servers, validating that controls are enforced, and folding best practices into your baseline. Book a free 30-minute security review and we’ll identify quick wins, close gaps, and keep your defenses from being bypassed.