A locked security setting can save an audit, and it can also stop a bad day from getting worse. In a CMMC Level 2 environment, I don’t treat Intune tamper protection as a nice extra. I treat it as one of the controls that helps keep Defender settings from being changed when it matters most.
That matters for IT admins, MSPs, and compliance teams because policy drift is common. A device looks fine in the console, then a local change or malware weakens it. The checklist below keeps the setup practical, testable, and easier to defend during an assessment.
Why tamper protection matters in a CMMC Level 2 environment
Tamper protection does one job well. It blocks unauthorized changes to key Microsoft Defender Antivirus settings, including controls tied to real-time protection and exclusions. For CMMC Level 2, that supports stronger execution of malware protection, update discipline, and limits on privileged actions. I use it as supporting evidence for controls, not as a claim that one setting makes an environment compliant. The DoD CMMC Level 2 Assessment Guide still drives the full picture.
Across Small Business IT, I see the same risk in Cloud Infrastructure, Office 365 Migration, and Data Center Technology projects. It also shows up in Restaurant POS Support and Kitchen Technology Solutions, where a rushed local change can weaken Endpoint Security on a front-line device. Good Cybersecurity Services connect tamper protection to Device Hardening, Cloud Management, and Business Continuity & Security. That is part of the Innovative IT Solutions, Tailored Technology Services, Technology Consulting, Infrastructure Optimization, Digital Transformation, IT Strategy for SMBs, and Secure Cloud Architecture I expect from a Business Technology Partner delivering Managed IT for Small Business.
Microsoft’s current guidance also matters because menu names can move. As of May 2026, I validate the current path against Microsoft’s Intune tamper protection guide before I document anything for an assessor.
My Intune checklist for turning it on
Before I create policy, I confirm the basics. The device must be onboarded to Microsoft Defender for Endpoint, use the same Microsoft Entra ID as Intune, and run supported Defender versions. I also verify current security intelligence, because stale signatures can block a clean rollout. For exclusions, I check that local admin merge is disabled where Microsoft requires it.
As of May 2026, this is the checklist I use in the Intune admin center at endpoint.microsoft.com:
- Go to Endpoint security and open Antivirus.
- Create a new policy for Windows using the Windows Security Experience profile.
- Name the policy clearly, such as “CMMC L2 Tamper Protection – On”.
- In Configuration settings, find Tamper protection (device) under Defender and set it to On.
- Assign the policy to a pilot device group first, then to production groups after validation.
- Review and create the policy, then document the date, scope, and approver in your change record.
I also check the Intune antivirus policy reference because Microsoft sometimes adjusts profile names and prerequisites. In mixed environments, I keep this simple. I use Intune-only or Configuration Manager-only management for the affected devices, because overlapping management makes evidence messy.
“Not configured” does not reverse a prior state. If I need to disable tamper protection for an approved exception, I deploy an explicit Off setting to that scoped group.
One more practical point matters during rollout. Intune policy takes precedence over the tenant-wide Defender portal setting, so I treat Intune as the source of truth for managed endpoints.
How I verify enforcement and package audit evidence
After deployment, I verify on both the device and in the admin portal. On a test machine, I run Get-MpComputerStatus | Select IsTamperProtected. I want a clear True result. I also confirm the device checked in after Defender onboarding, because Microsoft notes there can be a delay before tamper protection lights up on a newly onboarded endpoint.
For audit support, I capture a small set of evidence and keep it dated.
| Evidence | What I capture | Why it helps |
|---|---|---|
| Policy proof | Screenshot of policy settings and assignment summary | Shows the control is configured and scoped |
| Device status | Intune policy report for targeted devices | Shows enforcement reached endpoints |
| Device record | Managed device or compliance record, plus Defender onboarding status | Ties policy to the specific asset |
| Validation result | Screenshot of PowerShell output and a blocked local change on a test device | Shows the control works in practice |
I also save version evidence for Defender platform, engine, and security intelligence. That supports troubleshooting and gives assessors a cleaner story. If I need deeper technical backing, I compare my setup to Microsoft’s tamper resiliency guidance.
Limitations, troubleshooting, and exception handling
Some devices need special handling. Lab systems, legacy apps, kiosk builds, and some POS endpoints can behave badly when security settings are locked too tightly. In those cases, I don’t skip documentation. I record the exception, define compensating controls, limit admin access, and set a review date.
If tamper protection does not apply, I check onboarding first. Then I check Defender versions, group assignment, device check-in, and whether a prior policy left the device in a different state. I also confirm the device is in a supported management model. For special-use systems that cannot support the policy, I keep them in a separate group, note the business reason, and add stronger monitoring.
Conclusion
The strongest value in this control is simple. It reduces the chance that a local change, or malware, can quietly weaken Defender on a CMMC-scoped endpoint.
For me, the winning move is not only turning tamper protection on. It is pairing the setting with evidence that proves deployment, enforcement, and exception handling. That is what makes the control useful in operations and credible during a Level 2 review.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.