Fix Defender Tamper Protection Reverting to On After a Toggle Attempt
🔍 WiseChecker

Fix Defender Tamper Protection Reverting to On After a Toggle Attempt

by

Quick fix: Tamper Protection refuses to turn off when an Intune policy, Defender for Endpoint, or Family Safety has it locked at the cloud or organization level. Sign out of work accounts under Settings → Accounts → Access work or school, or contact your IT admin — local toggles can’t override a managed setting.

You opened Windows Security, navigated to Virus & threat protection, and clicked the Tamper Protection toggle to off. The toggle moves, the page refreshes, and Tamper Protection is back on. The change didn’t take. The page may show a small This setting is managed by your administrator note, or worse, no note at all — just silent refusal.

Symptom: Toggling Tamper Protection off has no effect; the setting reverts to On.
Affects: Windows 11 with Microsoft Defender, particularly on managed or work-joined PCs.
Fix time: 5–30 minutes depending on what’s enforcing it.

ADVERTISEMENT

What makes Tamper Protection refuse to turn off

Tamper Protection is a cloud-managed setting. The local toggle is just a hint — the actual decision flows from a per-machine policy that can come from four sources: Microsoft Defender for Endpoint enrollment, Intune device management, a tenant-level setting in the Microsoft 365 Defender portal, or Family Safety on consumer accounts. If any of those sources sets Tamper Protection to On, the local toggle is ignored.

Local Group Policy and registry have no path to override a cloud-enforced setting. That’s by design — Tamper Protection’s job is to resist exactly this kind of local override (which is why malware can’t turn it off either).

Method 1: Determine what’s enforcing the setting

  1. Open Windows Security → Virus & threat protection → Manage settings. Look for any banner text under Tamper Protection.
  2. If the banner reads This setting is managed by your administrator, the source is Intune or Defender for Endpoint — see Method 2.
  3. If the banner reads This setting is managed by your family administrator, Family Safety is in control — see Method 3.
  4. If there’s no banner but the toggle still refuses, check whether you signed in with a work or school account: Settings → Accounts → Access work or school. Listed accounts indicate management.
  5. Open PowerShell as Administrator and run:

    Get-MpComputerStatus | Select-Object IsTamperProtected, AntivirusEnabled, RealTimeProtectionEnabled, AMRunningMode

    If IsTamperProtected is True and AMRunningMode shows Passive or EDR Block, the device is managed.

The diagnosis tells you which path to take next.

ADVERTISEMENT

Method 2: Disable via Intune / Defender for Endpoint (admin path)

If you have organization admin rights:

  1. Sign in to https://endpoint.microsoft.com.
  2. Navigate to Endpoint security → Antivirus → Windows Security experience.
  3. Open the policy that targets the affected device or group.
  4. Find Tamper Protection and set it to Disabled. Save.
  5. On the device, force an Intune sync: Settings → Accounts → Access work or school → Info → Sync.
  6. Wait 5–15 minutes. Open Windows Security — the toggle should now be unlocked.

If you don’t have admin rights, contact whoever does. The local user can’t bypass this.

Method 3: Disable via Family Safety (consumer path)

  1. Sign in to https://family.microsoft.com with the organizer (parent) account.
  2. Find the affected user in the family group.
  3. Open their profile and navigate to Devices → Windows.
  4. If a Family Safety policy is enforcing Defender settings, edit or remove the relevant rule.
  5. Wait 5–15 minutes for the policy to propagate to the device.
  6. Reopen Windows Security — Tamper Protection toggle should be unlocked.

If the affected user is the family organizer themselves and they’re still blocked, the issue is the consumer Defender service caching old state — sign out of Microsoft account, restart, sign back in.

How to verify the fix worked

  • Open Windows Security → Virus & threat protection → Manage settings. Toggle Tamper Protection. The toggle moves and stays where you set it.
  • Run Get-MpComputerStatus | Select-Object IsTamperProtected in PowerShell. The value reflects your toggle state.
  • No banner appears warning about administrator-managed settings.

If none of these work

If Tamper Protection still refuses to toggle and no banner shows, check whether your device is enrolled in a non-Microsoft EDR (CrowdStrike, SentinelOne, Sophos) that’s acting as the AV provider while leaving Defender in Passive mode — those vendors lock Defender behavior to prevent conflicts, and the lock survives even after you uninstall their product if uninstall didn’t complete cleanly. Run their official cleanup tool to restore Defender control. For deeply stuck cases, a Windows 11 in-place repair upgrade (run setup.exe from a fresh ISO with Keep my files and apps) resets the Defender platform binding without losing data.

Bottom line: Tamper Protection is supposed to resist local override — that’s its job. To turn it off you have to address the management source: Intune policy, family settings, or a third-party EDR. The local toggle alone has no power against any of those.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You