If you have a managed device and Tamper Protection is enabled, all settings are protected and cannot be changed or disabled. Even local administrators cannot interfere with Defender for Endpoint at that point.
But sometimes there are issues that need to be solved. Because of this, there is a so-called troubleshooting mode in Defender for Endpoint that allows you to temporarily change settings locally.
By default, troubleshooting mode is disabled and requires explicit enablement for a specific device or device group from the Microsoft Defender portal.
When troubleshooting mode is active on a device, it is temporarily possible to disable tamper protection locally using Set-MPPreference -DisableTamperProtection $true. Subsequently, for example, antivirus can be deactivated, security settings can be changed locally, including for example disabling cloud protection, etc.
While troubleshooting mode is enabled, all actions are audited. A snapshot of MpPreference is taken before activating troubleshooting mode and a second snapshot is taken just before deactivating troubleshooting mode.
Troubleshooting mode is active for a maximum of 4 hours and is then automatically deactivated. When troubleshooting mode is deactivated, all settings revert back to their original values.
If any changes are applied to the device centrally via Intune during troubleshooting mode, the changes are applied, but will not take effect until after troubleshooting mode has ended. Antivirus platform updates are suspended during troubleshooting mode.
How to activate troubleshooting mode in Microsoft Defender for Endpoint
To activate troubleshooting mode, go to the Devices tab in the Microsoft Defender portal. Select the device on which you want to activate troubleshooting mode and click the three dots in the top right corner of the device and select Turn on troubleshooting mode.
Once activation is confirmed, troubleshooting mode will be activated on the device for 4 hours.
