Share via

"Windows Defender Advanced Threat Protection" remove service

Anonymous
2024-05-28T13:52:00+00:00

Hello All,

i've Windows 2012R2 server subscribed to ESU,

on these servers, Windows Defender Advanced Threat Protection service is running and even after disabling in GPO , it's not getting disabled.

How can I disable this service ?

Registry change is not permitted ( Access denied) , service properties are grayed Out.

is there any way I can disable / uninstall "Windows Defender Advanced Threat Protection" ?

Thanks

Balchandra

Windows for business | Windows Server | Devices and deployment | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-05-29T02:05:13+00:00

    Hello,

    Thank you for posting in Microsoft Community forum.

    Based on the description, I understand your question is related to disable / uninstall "Windows Defender Advanced Threat Protection" service.

    1. Open cmd as admin, then run below command to disable Windows Defender Advanced Threat Protection service: wdavideoconfig.exe -disable
    2. You can also consider turn off Defender antivirus protection in Windows Security temporarily:
    • Select Start and type "Windows Security" to search for that app.
    • Select the Windows Security app from the search results, go to Virus & threat protection, and under Virus & threat protection settings select Manage settings.
    • Switch Real-time protectionto Off.

     Turn off Defender antivirus protection in Windows Security - Microsoft Support

    Have a nice day. 

    Best Regards,

    Molly

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-05-29T15:59:27+00:00

    Thank you Molly for your response,

    The OS is Windows server 2012R2

    i've removed the defender feature from the server, hence there is no Defender Graphical interface to perform

    • Select Start and type "Windows Security" to search for that app.
    • Select the Windows Security app from the search results, go to Virus & threat protection, and under Virus & threat protection settings select Manage settings.
    • Switch Real-time protectionto Off.

    also I do not see "wdavideoconfig.exe" .

    all our 2012R2 have ESU and Azure Arc installed (which is mandatory for ESU).

    using Get-MpPreference I can see

    AllowDatagramProcessingOnWinServer : False

    AllowNetworkProtectionDownLevel : False

    AllowNetworkProtectionOnWinServer : False

    AllowSwitchToAsyncInspection : False

    ApplyDisableNetworkScanningToIOAV : False

    AttackSurfaceReductionOnlyExclusions :

    AttackSurfaceReductionRules_Actions :

    AttackSurfaceReductionRules_Ids :

    AttackSurfaceReductionRules_RuleSpecificExclusions :

    AttackSurfaceReductionRules_RuleSpecificExclusions_Id :

    CheckForSignaturesBeforeRunningScan : False

    CloudBlockLevel : 0

    CloudExtendedTimeout : 0

    ComputerID : 7D58BEC6-73CF-8902-82BE-00D0DBAE7AFB

    ControlledFolderAccessAllowedApplications :

    ControlledFolderAccessProtectedFolders :

    DefinitionUpdatesChannel : 0

    DisableArchiveScanning : False

    DisableAutoExclusions : False

    DisableBehaviorMonitoring : False

    DisableBlockAtFirstSeen : True

    DisableCacheMaintenance : False

    DisableCatchupFullScan : True

    DisableCatchupQuickScan : True

    DisableCpuThrottleOnIdleScans : True

    DisableDatagramProcessing : False

    DisableDnsOverTcpParsing : False

    DisableDnsParsing : False

    DisableEmailScanning : True

    DisableFtpParsing : False

    DisableGradualRelease : False

    DisableHttpParsing : False

    DisableInboundConnectionFiltering : False

    DisableIOAVProtection : True

    DisableNetworkProtectionPerfTelemetry : False

    DisablePrivacyMode : False

    DisableQuicParsing : False

    DisableRdpParsing : False

    DisableRealtimeMonitoring : True

    DisableRemovableDriveScanning : True

    DisableRestorePoint : True

    DisableScanningMappedNetworkDrivesForFullScan : True

    DisableScanningNetworkFiles : False

    DisableScriptScanning : False

    DisableSmtpParsing : False

    DisableSshParsing : False

    DisableTlsParsing : False

    EnableControlledFolderAccess : 0

    EnableConvertWarnToBlock : False

    EnableDnsSinkhole : True

    EnableFileHashComputation : False

    EnableFullScanOnBatteryPower : False

    EnableLowCpuPriority : False

    EnableNetworkProtection : 0

    EngineUpdatesChannel : 0

    ExclusionExtension :

    ExclusionIpAddress :

    ExclusionPath :

    ExclusionProcess :

    ForceUseProxyOnly : False

    HideExclusionsFromLocalUsers : True

    HighThreatDefaultAction : 0

    IntelTDTEnabled :

    LowThreatDefaultAction : 0

    MAPSReporting : 2

    MeteredConnectionUpdates : False

    ModerateThreatDefaultAction : 0

    OobeEnableRtpAndSigUpdate : False

    PerformanceModeStatus : 1

    PlatformUpdatesChannel : 0

    ProxyBypass :

    ProxyPacUrl :

    ProxyServer :

    PUAProtection : 0

    QuarantinePurgeItemsAfterDelay : 90

    RandomizeScheduleTaskTimes : True

    RealTimeScanDirection : 0

    RemediationScheduleDay : 0

    RemediationScheduleTime : 02:00:00

    ReportDynamicSignatureDroppedEvent : False

    ReportingAdditionalActionTimeOut : 10080

    ReportingCriticalFailureTimeOut : 10080

    ReportingNonCriticalTimeOut : 1440

    ScanAvgCPULoadFactor : 50

    ScanOnlyIfIdleEnabled : True

    ScanParameters : 1

    ScanPurgeItemsAfterDelay : 15

    ScanScheduleDay : 0

    ScanScheduleOffset : 120

    ScanScheduleQuickScanTime : 00:00:00

    ScanScheduleTime : 02:00:00

    SchedulerRandomizationTime : 4

    ServiceHealthReportInterval : 60

    SevereThreatDefaultAction : 0

    SharedSignaturesPath :

    SharedSignaturesPathUpdateAtScheduledTimeOnly : False

    SignatureAuGracePeriod : 0

    SignatureBlobFileSharesSources :

    SignatureBlobUpdateInterval : 60

    SignatureDefinitionUpdateFileSharesSources :

    SignatureDisableUpdateOnStartupWithoutEngine : False

    SignatureFallbackOrder : MicrosoftUpdateServer|MMPC

    SignatureFirstAuGracePeriod : 120

    SignatureScheduleDay : 8

    SignatureScheduleTime : 01:45:00

    SignatureUpdateCatchupInterval : 1

    SignatureUpdateInterval : 0

    SubmitSamplesConsent : 1

    ThreatIDDefaultAction_Actions :

    ThreatIDDefaultAction_Ids :

    ThrottleForScheduledScanOnly : True

    TrustLabelProtectionStatus : 0

    UILockdown : False

    UnknownThreatDefaultAction : 0

    PSComputerName :

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2024-05-30T06:10:51+00:00

    Hello,

    If you have the necessary permissions, you can try modifying the registry to disable the service.

    Locate the registry key associated with the Defender ATP service under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    Look for the specific service entry related to Defender ATP and modify its properties to disable it.

    Note that making registry changes can be risky, so proceed with caution and backup before doing operation.

    Best regards,

    Molly

    0 comments
  4. Anonymous
    2024-05-31T00:09:13+00:00

    i did tried that , setting 'Sense' service as disabled ,

    but it says access denied, I even tried scheduling task as system user but my powershell script got qurentined even though the AV real time protection and 'isprotected " is false .

    Thanks

    Balchandra Modak

    0 comments
  5. Anonymous
    2024-06-03T06:56:53+00:00

    Hello,

    If it says access denied, maybe you need to change to administrator account with full access, then recheck the registry setting.

    Best regards,

    Molly

    1 person found this answer helpful.
    0 comments