This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 95%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAZ%3C/text%3E%3C/svg%3E)
Hi,
I'm using Windows 10 x64 Professional. It's a standalone machine, and I'm an administrator.
Whenever I start gpedit and disable Windows Defender Antivirus (Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus) by activating the policy "Turn off Windows Defender Antivirus", the change does not persist. Instead, the setting is reverted immediatelly.
Using procmon, I was able to capture the behavior. The cause is that MsMpEng reenables itself:
In the first line, svchost (group policy services) correctly sets the value to 1 as a consequence of me changing the policy via gpedit.
In the last line, msmpeng deletes this value. My question is: Why? It shouldn't do this because it's my wish to disable it. What can I do to prevent this?
Link to a video (30 s) showing the behavior:
https://1drv.ms/v/s!AmeoV9EbVmSSgn0HC3ZHxIqCbW2H
Using Windows Performance Recorder, I was able to get the stack when the value is deleted:
KernelBase.dll!RegDeleteValueW
MpSvc.dll!CommonUtil::UtilRegDeleteValue
MpSvc.dll!UtilRemovePolicyEx
MpSvc.dll!RemoveDisableSvcConfigsUnderPolicy
MpSvc.dll!CheckProductDisabled
MpSvc.dll!RootConfigCallback
MpClient.dll!MpConfig::CConfigNotificationCallback::ForwardOnNotify
MpClient.dll!MpConfig::CRootNotificationCallback::OnNotify
MpClient.dll!NMpRegistryStorage::CKeyNotificationCallback::OnNotify
MpClient.dll!MpConfig::CNotificationsRouterCallback::OnNotify
MpClient.dll!CommonUtil::CNotificationsRouter::Send
MpClient.dll!MpConfig::CStorageNotificationsHandler::OnAction
MpClient.dll!CommonUtil::CMpSimpleThreadPool::AsyncDequeue
(to be continued in next comment due to size limit)
...continued:
I can only guess that "CheckProductDisabled" means that it checks if there's another virus scanner active. If not, Windows Defender reenables itself. But it shouldn't because I'm an administrator that disabled it.
In safe mode, my group policy change is persistent. That means, if I restart gpedit, it's still there. Great.
However, if I restart Windows normally, my setting is gone again. According to the event log, this happens during boot.
I've tried to capture this behavior again by creating a boot log using WPR, but in safe mode, I'm not able to start "Boot" recording.
In the event log (Microsoft-Windows-Windows Defender/Operational), nothing is logged about these events.
Edit:
The Problem is the same if I change the setting from a different Windows account (also an administrator).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Armin Zingler ,
Thank you for your update.
We try to check the following options to see if it helps.
1.If we install all the updates for this machine.
2.We can try to perform a clean boot and check if this group policy change is persistent.
How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows
3.Or reset the machine operating system.
Best Regards,
Daisy Zhou
Thank you for the hints @Daisy Zhou .
In short, hint #2 was very helpful. After disabling all none-Microsoft services, the problem disappeared. However, after a normal start, it still works, so I can change the GP setting as I like forth and back. This is great, but I wasn't able to narrow it down with several attempts, so it "just works" now. Very good.
I do not know what caused the problem. The none-Microsoft services are related to printer, audio, graphics, the Sysmon64 service and Comodo firewall (just firewall, no AV) that I use for years without that problem. Anyway, it works now and I know what to do next time. (BTW, disabling Defender in the group policies is just temporarily.)
Thanks again for your support!
Hello @Armin Zingler ,
Thank you for your update and accepting my reply as answer. I’m very glad that the information is helpful.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Have a nice day!
Best Regards,
Daisy Zhou
Hello,
Do you ever installed third-party AV program? If yes, try completely removing it and see if it makes any differences.
Regards.
Hi, and thanks for your reply.
No, there is (and was) no 3rd party AV installed.
I've reinstalled Windows only two month ago. With the previous installation, I had the same problem once. I could "solve" it by temporarily disabling Windows Updates. This time, it did not help.
I'm going to add some additional information to my question that I just found out.
Hello @Armin Zingler ,
Thank you for posting here.
From the following link, we can see:
Microsoft Defender Antivirus compatibility
https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility
Hope the infomation above is helpful.
Best Regards,
Daisy Zhou
Hello @Daisy Zhou ,
thank you for your reply. I'm glad about every piece of information.
I read the text several times. It tells me two things: 1. Antivirus is installed and enabled automatically by default, 2. What happens if a 3rd party product is used. The latter does not apply to my machine, and EDR is not available.
It does not answer my question why the group policy setting ist deleted immediatelly. This should not happen in any case. In the worst case, my setting would be ignored but never it should be deleted. The policy is an administrator's setting that is there to do what it's made for. If it was useless, it shouldn't be there, and it's not mentioned anywhere that it has no effect. Moreover, it has already worked reliably in the past.
Though, thanks again for your help.
I've added a link to a video (30 s) showing the behavior to my initial post:
https://1drv.ms/v/s!AmeoV9EbVmSSgn0HC3ZHxIqCbW2H
Hey,
I think I found out a very good workaround for the POLICY Setting getting reset to "Not Configured" every time you restart Group Policy Editor. I had the same problem and guessed out (correctly) that it was MsMpEng.exe running in the background that was resetting the policy back to "Not Configured".
So, before making any changes to the policy, head over to Task Manager, then to Performance Monitor from the Performance tab. Find MsMpEng.exe in any of the tabs in it (mostly on top in Memory or CPU tabs) and click on Suspend Process.
Then make the changes as required in the Group Policy Editor. It won't get reverted back. Please reply if it works, or didn't work.
NOTE :- Keep the MsMpEng.exe process suspended for as long as you like XD