Public/Test-MDETamperProtection.ps1

function Test-MDETamperProtection {
    <#
    .SYNOPSIS
        Tests if Tamper Protection is enabled.
     
    .DESCRIPTION
        Checks the Tamper Protection status and source of Windows Defender.
        Tamper Protection prevents malicious apps from changing important
        Windows Defender Antivirus settings.
     
    .EXAMPLE
        Test-MDETamperProtection
         
        Tests if Tamper Protection is enabled and reports the source.
     
    .OUTPUTS
        PSCustomObject with validation results.
     
    .NOTES
        Tamper Protection source can be:
        - ATP (Microsoft Defender for Endpoint)
        - Intune (Microsoft Endpoint Manager)
        - ConfigMgr (Configuration Manager)
        - Admin (locally configured by admin)
        - Unknown
    .PARAMETER MpComputerStatus
        Optional Get-MpComputerStatus snapshot. When supplied, the function uses it instead of
        querying Get-MpComputerStatus itself, allowing the caller to share a single query across
        multiple tests. When omitted, the function queries Get-MpComputerStatus directly.
     
    #>

    [CmdletBinding()]
    param(
        [Parameter()]
        $MpComputerStatus
    )
    
    $testName = 'Tamper Protection'
    
    try {
        if ($null -eq $MpComputerStatus) {
            $mpStatus = Get-MpComputerStatus -ErrorAction Stop
        }
        else {
            $mpStatus = $MpComputerStatus
        }
        
        $isTamperProtected = $mpStatus.IsTamperProtected
        $tamperProtectionSource = $mpStatus.TamperProtectionSource
        
        # Build source information string
        $sourceInfo = if ([string]::IsNullOrEmpty($tamperProtectionSource)) {
            ''
        } else {
            " Source: $tamperProtectionSource."
        }
        
        if ($isTamperProtected -eq $true) {
            Write-ValidationResult -TestName $testName -Category 'Tamper Protection' -Expected 'Enabled' -Actual 'Enabled' -Status 'Pass' `
                -Message "Tamper Protection is enabled.$sourceInfo"
        } else {
            Write-ValidationResult -TestName $testName -Category 'Tamper Protection' -Expected 'Enabled' -Actual 'Disabled' -Status 'Fail' `
                -Message "Tamper Protection is disabled.$sourceInfo" `
                -Recommendation "Enable Tamper Protection via Microsoft Defender for Endpoint portal, Intune, or Group Policy. Tamper Protection prevents malicious apps from changing important Windows Defender Antivirus settings."
        }
    }
    catch {
        Write-ValidationResult -TestName $testName -Category 'Tamper Protection' -Expected 'Enabled' -Status 'Fail' `
            -Message "Unable to query Tamper Protection status: $_" `
            -Recommendation "Ensure Windows Defender is properly installed and the Defender PowerShell module is available."
    }
}