I'm dealing with a bit of an issue regarding Tamper Protection in Windows Defender. It's currently off and states it's managed by my administrator. I'm looking for guidance on how to turn this setting on.
My setup is an Active Directory Domain with some devices that are Hybrid Entra Joined, along with a few that are just Entra Joined and enrolled in Intune MDM. I've got one Intune policy that's been configured to keep Tamper Protection enabled, along with some custom info for the security center. I know the policy is applying because changes are reflected on the devices; however, Tamper Protection remains off.
When I check with the PowerShell command *Get-MpComputerStatus*, I see that RealTimeProtectionEnabled is set to True but IsTamperProtected is False, indicating it's indeed not on. When trying to enable it with the command Set-MpPreference -DisableTamperProtection $false, I keep receiving an error: 0x80004001 across multiple machines. I've also reset Windows Defender to defaults and rebooted, even removed the Tamper Protection setting from Intune, leaving it as not configured.
Any ideas on where this policy could be originating from?
4 Answers
Can you share the full output of the Get-MpComputerStatus command? It might give more clues about what’s going on.
Definitely check the Microsoft Security portal. Go to Security.microsoft.com, then head to Settings > Endpoint > Features > Tamper protection. There might be some settings there that are affecting it.
Could it be a licensing issue? Sometimes Microsoft locks specific security settings behind their Enterprise licenses. Just something to consider.
It sounds like there could be a Group Policy Object (GPO) that’s overriding your Intune policy. Depending on the client's setup and the precedence rules, this can happen. I suggest checking the GPOs directly on the device and any local policies that might be in play. Also, are both the Entra joined and Hybrid devices having this problem?
Yes, it's affecting both groups. I'll definitely take a look at the MDM Diagnostic report, thanks for pointing that out!
Good tip! I’ve found some tricky checkboxes in the defender management portal before.