Tamper Protection in Microsoft Defender Antivirus is a security feature that prevents unauthorized changes to your device’s security settings. On Windows 11, local administrators sometimes find the Tamper Protection toggle greyed out in the Windows Security app. This occurs when a higher authority, such as a Group Policy or an MDM policy, locks the setting. This article explains why this happens and provides clear steps to regain control over Tamper Protection.
When Tamper Protection is greyed out, you cannot turn it on or off through the normal interface. The root cause is usually a conflict between local policies and Microsoft’s default security baselines. This guide covers how to identify the policy that is enforcing the greyed-out state and how to modify or remove it. You will learn to use the Local Group Policy Editor and PowerShell to fix the issue.
Key Takeaways: Restoring Tamper Protection for Local Admins
- Local Group Policy Editor (gpedit.msc) > Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Configure Tamper Protection: Checking or unchecking this policy directly controls the Tamper Protection state.
- PowerShell cmdlet Get-MpComputerStatus: Displays the current Tamper Protection status and reveals if it is being enforced by a policy.
- Setting the policy to “Disabled” or “Not Configured”: These two states allow local admins to toggle Tamper Protection manually in Windows Security.
Why Tamper Protection Is Greyed Out for Local Admins
Tamper Protection is greyed out when Windows detects that a higher-level policy is managing the setting. This can come from three sources:
- Group Policy: An administrator or IT department may have deployed a policy that sets Tamper Protection to a fixed state. This policy overrides local user changes.
- Microsoft Intune or MDM: If your device is enrolled in a mobile device management service, the MDM provider can enforce a Tamper Protection state.
- Windows Security Baseline: Some Windows 11 security baselines include a policy that enables Tamper Protection and locks the toggle.
When a policy is active, the Windows Security app shows the toggle as greyed out and displays a message like “Some settings are managed by your organization.” The toggle cannot be changed until the policy is modified or removed. The fix depends on whether you are on a standalone device or a managed corporate device.
Steps to Fix Tamper Protection Greyed Out on Windows 11
The following steps assume you are a local administrator on a Windows 11 device that is not managed by a corporate domain or MDM. If the device is managed, contact your IT department before making changes.
Check the Current Tamper Protection Status with PowerShell
- Open PowerShell as administrator
Right-click the Start button and select Windows Terminal (Admin) or PowerShell (Admin). Click Yes on the User Account Control prompt. - Run the status command
Type the following command and press Enter:Get-MpComputerStatus | Select-Object -Property TamperProtectionSource, AntivirusEnabled, IsTamperProtected
This command shows three values. TamperProtectionSource tells you what is enforcing the setting. A value of0means no policy is enforcing it. A value of1means a local Group Policy is enforcing it. A value of2means an MDM policy is enforcing it. IsTamperProtected showsTrueorFalse.
Use Local Group Policy Editor to Modify the Policy
- Open Local Group Policy Editor
Press Windows key + R, typegpedit.msc, and press Enter. If this command is not recognized, your Windows 11 edition may not include the Group Policy Editor. You can use the PowerShell method in the next section instead. - Navigate to the Tamper Protection policy
Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus. Look for a policy named Configure Tamper Protection. - Check the current policy state
Double-click the Configure Tamper Protection policy. If it is set to Enabled, Tamper Protection is forced on. If it is set to Disabled, Tamper Protection is forced off. Set it to Not Configured to allow local control, or set it to Disabled if you want to turn off Tamper Protection permanently. - Apply the change
Select Not Configured or Disabled, then click Apply and OK. Close the Local Group Policy Editor. - Force a policy update
Open a Command Prompt as administrator and run:gpupdate /force
Wait for the update to complete. Then restart your device.
Use PowerShell to Remove the Policy (Alternative Method)
If you do not have the Local Group Policy Editor, you can use PowerShell to remove the policy registry key.
- Open PowerShell as administrator
Right-click the Start button and select Windows Terminal (Admin). - Remove the Tamper Protection policy registry key
Run the following command:Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "TamperProtection" -Force
This command deletes the policy value that enforces Tamper Protection. - Verify the removal
RunGet-MpComputerStatus | Select-Object TamperProtectionSourceagain. The value should now be0, meaning no policy is enforcing it. - Restart the device
Restart Windows 11 to apply the change. Open Windows Security > Virus & threat protection > Manage settings. The Tamper Protection toggle should now be clickable.
Common Issues After Modifying Tamper Protection Policy
Tamper Protection Toggle Still Greyed Out After Policy Change
If the toggle remains greyed out, the policy may be cached. Run gpupdate /force again and restart. Also verify that no other policy is overriding the setting. Check the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender for any other policy values related to Tamper Protection. Delete any remaining keys with Remove-ItemProperty.
“Some settings are managed by your organization” Message Persists
This message can appear even after fixing Tamper Protection if other Defender policies are active. Open Local Group Policy Editor and navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus. Review all policies set to Enabled. Set any policies you want to control locally to Not Configured. Then run gpupdate /force and restart.
PowerShell Command Fails with Access Denied
The Remove-ItemProperty command requires administrator privileges. Ensure you open PowerShell as administrator. If the error persists, the registry key may be protected by a higher-level policy from Intune or a domain. In that case, contact your IT administrator to modify the policy in the management console.
Group Policy vs Registry Method: What to Use When
| Item | Local Group Policy Editor | PowerShell Registry Method |
|---|---|---|
| Availability | Windows 11 Pro, Enterprise, Education | All Windows 11 editions |
| Complexity | Graphical interface, easier for beginners | Command-line, requires precision |
| Persistence | Policy remains in place until set to Not Configured | Registry key is deleted, policy is effectively removed |
| Risk | Low, changes are reversible via Group Policy | Medium, incorrect key deletion can affect other Defender settings |
| Best for | Devices with Group Policy Editor available | Devices running Windows 11 Home or when Group Policy Editor is missing |
You can now identify why Tamper Protection is greyed out and choose the method that matches your Windows 11 edition. After applying the fix, open Windows Security and confirm the toggle is active. As a next step, review your Defender policies regularly to ensure no unintended restrictions are in place. For advanced users, consider exporting your current Defender policy with Get-MpPreference to maintain a backup before making changes.