Windows Defender (AV) not disabling

James Wilmoth 21 Reputation points
2021-01-07T15:59:32.483+00:00

I work for a MSP, and our client has Cylance. For some reason, Windows Defender (AV) will not disable.

Endpoints in question: Windows 10 Pro, domain joined
Domain functional level: Windows Server 2012 R2

My first attempt was to configure a domain GPO: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Turn off Windows Defender = Enabled

I confirmed the endpoints restarted and took the GPO. However, Get-MpComputerStatus returns:

BehaviorMonitorEnabled    : True
IoavProtectionEnabled     : True
IsTamperProtected         : True
NISEnabled                : True
OnAccessProtectionEnabled : True
RealTimeProtectionEnabled : True

I then invoked: Set-MpPreference -DisableBehaviorMonitoring $True -DisableIntrusionPreventionSystem $True -DisableIOAVProtection $True -DisableRealtimeMonitoring $True -DisableScriptScanning $True -DisableArchiveScanning $True -DisableCatchupFullScan $True -DisableCatchupQuickScan $True -DisableEmailScanning $True -DisableRemovableDriveScanning $True -DisableRestorePoint $True -DisableScanningMappedNetworkDrivesForFullScan $True -DisableScanningNetworkFiles $True

But Get-MpComputerStatus still returns:

BehaviorMonitorEnabled    : True
IoavProtectionEnabled     : True
IsTamperProtected         : True
NISEnabled                : True
OnAccessProtectionEnabled : True
RealTimeProtectionEnabled : True

Please advise how to completely disable Windows Defender (AV). However, please keep in mind I want to keep Windows Defender Firewall enabled.

Thanks!

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,947 questions
{count} votes

5 answers

Sort by: Most helpful
  1. Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,761 Reputation points Microsoft Vendor
    2021-01-08T03:44:57.513+00:00

    Hi,

    My first attempt was to configure a domain GPO: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Turn off Windows Defender = Enabled

    If you would like to disable Windows Defender via GPO, you may need to configure all below policies.

    1. Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus
      Turn off Windows Defender Antivirus - Enabled
    2. Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Real-time Protection
      Turn on behavior monitoring - Disabled
      Monitor file and program activity on your computer - Disabled
      Turn on process scanning whenever real-time protection is enabled - Disabled

    If it still does not work, please try registry settings to check the result. You can follow the steps in below article.
    https://www.windowscentral.com/how-permanently-disable-windows-defender-antivirus-windows-10

    If the problem persists, please try to delete the WinDefend key in registry editor (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend).

    You'd better to export the key first for backup, then if you want Defender back you can import the saved key back into the registry.
    The key may be returned after certain Windows updates, so you will have to delete it again.

    Thanks,

    Eleven

    If the answer is helpful, please click "Accept Answer" and up-vote it.

    0 comments No comments

  2. James Wilmoth 21 Reputation points
    2021-01-13T13:08:32.183+00:00

    Hey Eleven,

    The GPO settings you mentioned do not exist, perhaps because the domain functional level is Server 2012 R2?

    56138-20210113-080611-ncentralrdviewer.png

    56194-20210113-080645-ncentralrdviewer.png

    0 comments No comments

  3. Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,761 Reputation points Microsoft Vendor
    2021-01-14T01:44:31.737+00:00

    Hi,

    You need to open the Real-time Protection folder.
    56384-image.png

    Thanks,
    Eleven

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

    0 comments No comments

  4. James Wilmoth 21 Reputation points
    2021-02-02T16:14:01.743+00:00

    Hey @Eleven Yu (Shanghai Wicresoft Co,.Ltd.) ,

    On 1/29/2020, I updated the default domain GPO as per your instructions. Unfortunately, it does not appear to have worked.

    Figure 1: Result when I use Get-MpComputerStatus
    63084-20210202-111424-chrome.png

    Figure 2: Group modeling results
    63076-20210202-111026-ncentralrdviewer.png

    UPDATE: Actually, it looks like the user last restarted the computer the day before I implemented the GPO changes. I'll update here again as soon as I confirm results after I ask the user to restart the computer.

    0 comments No comments

  5. James Wilmoth 21 Reputation points
    2021-02-04T21:24:10.193+00:00

    Hey @Eleven Yu (Shanghai Wicresoft Co,.Ltd.) ,

    Unfortunately, even post reboot, I am getting incorrect results:

    Figure 1: For LAPTOP127 (the one in the previous screenshot where I tested Group Policy Results)

    BehaviorMonitorEnabled    : True  
    IoavProtectionEnabled     : True  
    IsTamperProtected         : True  
    NISEnabled                : True  
    OnAccessProtectionEnabled : True  
    RealTimeProtectionEnabled : True  
    

    Figure 2: For LAPTOP17 (which also has the GPO applied and restarted)

    BehaviorMonitorEnabled    : True  
    IoavProtectionEnabled     : True  
    IsTamperProtected         : True  
    NISEnabled                : True  
    OnAccessProtectionEnabled : True  
    RealTimeProtectionEnabled : True  
    

    Figure 3: LAPTOP17 also now shows:

    64168-image.png

    The intention was never to disable the firewall, especially not the Guest or public networks profile


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.