This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 78%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMO%3C/text%3E%3C/svg%3E)
I have Defender for Endpoint set up on Windows 10 devices. The enrollment was done in Defender (without enrolling them directly in Microsoft Intune). However, MDE has been allowed to apply security settings in Intune.
A highlight of the policies is that tamper protection has been enabled for all devices.
Even with these settings, local users are allowed to perform the image actions (Restore or Remove Threats).
Also, I've seen that this restriction is available on Linux and MacOS under the key "disallowedThreatActions".
My intention is to disable these options.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Moises Orlando La Torre Dávila, Thanks for posting in Q&A. Based on my checking, I find windows haven't provide the CSP to disable threat actions yet. Therefore, from Intune, we don't have this setting for windows either.
But after researching more, I find when we set "User defined" for Actions for detected threats. The user needs to make the decision on which action to take. Therefore, the remove and restore will show. If we change to other action like Quarantine or Block. I think the remove and restore will not show. You can try this to see if it can work.
Please try the above suggestion and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.