Microsoft makes it difficult to disable Windows Defender on Windows 10
Microsoft Defender Antivirus is the default antivirus protection on the company's Windows 10 operating system. If administrators don't install a different antivirus solution, Windows Defender Antivirus is enabled and will protect the system in various ways.
Administrators may configure some settings of the program in the Windows 10 Settings application; this includes turning various security feature such as cloud delivered protection, tamper protection, exploit protection or ransomware protection on or off. What administrators cannot do is disable the program entirely using the Settings app. Disabling real-time protection offers a temporary recourse only as it is automatically enabled again by the operating system.
Microsoft released an update for the security program earlier this month that introduced two major changes to it. The first made Microsoft Defender Antivirus flag hosts file manipulations as malicious if they contained entries for certain Microsoft servers, mostly Telemetry servers used to submit data from the Windows 10 device to Microsoft.
The second change came to light just recently. It appears that Microsoft disabled the Registry key DisableAntiSpyware which administrators could use to disable Microsoft Windows Defender.
Most uses should not deactivate Microsoft Defender Antivirus if no other antivirus program is active on the system. In some situations, it may be required to disable the tool:
- If an installed antivirus solution did not lead to Microsoft Defender Antivirus disabling itself.
- If the user needs to disable the software because of incompatibilities.
- If no antivirus software is required.
Our colleagues over at Deskmodder note that third-party software such as Defender Control should still work. The equally excellent Configure Defender may work as well.
It is unclear at this point in time if the Group Policy options to disable Windows Defender still work.
Most third-party antivirus solutions come with options to turn off the protection. While not advised, the programs do give users the choice to do so if they choose that option.
Are the two changes in the latest version of Microsoft Windows Defender related? Microsoft is tight lipped about the changes and it seems unlikely that it is going to release a public statement about either of these.
Now You: Which antivirus solution do you use, and why?
who cares about this obsolete data collecting platform? Win7 works flawlessly.
Martin, you could have tested the GPO for us before you published the article. ðŸ˜œ
I would, but at the time, I had only access to a Home system ;)
Of course it works: https://i.imgur.com/9r8ve1z.png
Virus & threat protection https://i.imgur.com/kTZrByB.png
Yeah apparently it still works, people still need to make sure to turn Tamper Protection off though so keys to disable realtime protection or the whole Microsoft defender will not get reset.
I found there is like a bug or misbehavior that can prevent Group Policy to set DisableAntiSpyware correctly and it gets reset everytime you restart though. When you configure a policy, a key in registry Group Policy Objects is created containing the rules for Machine and User with a random identifier number that changes everytime you restart. That GPO key gets removed on restart, but sometimes the problem is that it contains also old keys with old policies with an old random identifier preventing GPO key to get deleted, and for some reason it causes DisableAntiSpyware value to never go to Software\Policies and only stay in GPO key, so on restart it gets lost since it was never written in the corrent place to take action.
But it is easily fixed by removing those old keys (careful of not removing the current one being used, if not GP will completely break) and then Group Policy Objects will do its job correcly and write DisableAntiSpyware value in Software/Policies and it doesn’t seem to get removed or ignored by Defender.
So as long as Tamper Protection is off, it seems to work, even DisableAntiSpyware in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender works even if it gets reset after a while. But if it was true that DisableAntiSpyware is discontinued and ignored then why would Defender gets disabled in the first place?
I think the problem is people are reading this issue wrongly, because the Microsoft documentation that is talking about DisableAntiSpyware it is the one about unattended installations, not about policies or the service itself. So to me, what this is talking about is how you can’t disable Defender on the customized/unattended installation of Windows, but it seems you can still do it once Windows is installed, because it is working.
Of course, people HAVE to make sure they disable Tamper Protection if not some Defender policies will get reset. But it seems like it is still working.
but like I said, even if MS really disables DisableAntiSpyware value from all places, disabling Defender services is not difficult to do to make drama about it, or even just disabling realtime protection which is the bad thing about Defender because it slows down everything since it uses CPU and Disk like crazy should be enough for most as well.
Thanks for sharing your knowledge about disabling Defender. Could you clarify about which GPO key I should delete? I can see two keys; Machine and User. I presume Machine key is in use because I recognise the custom settings I made in there.
Just to make sure you don’t break GP, if you closed GP and you still see two keys inside GPO log out and log in quickly if you can, if you open registry and still see 2 keys then you can remove them because GPO is a temporary key that has to be removed as soon as you close GP.
But the safest way to ensure you don’t break GP is just to configure any policy temporary, if you then see the same two keys being modified then don’t delete anything. But if you see four keys (since you already said you have two) then just make sure you are deleting the one that doesn’t have the temp policy change. that’s all, then it should disappear when you close GP. GPO key should only be created again until you configure a policy.
But GPO key has to have 2 sub keys for Machine and User policies, the identifier seems to random everytime you open GP and modify a policy. When you modify a policy then changes get saved to registry.pol file in C:\Windows\System32\GroupPolicy\Machine(or user). That registry.pol is the file that GP reads in order to see if you have configured a policy or not and if enabled or disabled, etc, so if that file gets corrupted and you can’t open GP because of an error, then you have to delete it and reconfigure every policy again.
But I saw that DisableAntiSpyware was the only policy that wasn’t added correctly to Policies registry key when set to Enabled. When I set it to disable it, it would appear in Windows Defender Policies key no problem but not when set to Enabled, so it got reset to “not configured” on restart or it would stay as Enable without doing anything (even worst), making it seem like “Oh yeah Microsoft killed DisableAntiSpyware” but no, it is just a weird behavior because I was using GP to set it to enable and GP wasn’t doing the job correctly, because when I added the registry key manually like it is done for a Win10 Home pc, it still worked fine and says about being managed by organization and all that, but it’s not getting ignored by Defender at all (or at the moment), so it seems that as long as you disable Tamper Protection which is a pretty important step after 2004 update, then Defender should stay disabled if the policy DisableAntiSpyware is set to enabled.
Hi Tom, I tried deleting my 2 old GPO keys and unfortunately still cannot disable Defender. I verified that the old keys are truly gone because only 2 GPO keys appear whenever I open gpedit.msc. I took an extra step by deleting registry.pol and recreating it with “gpupdate /force” but no luck. Also checked Tamper Protection and it’s off.
I’m starting to think I have a different issue compared to yours. My Turn Off Defender policy would reset as soon as I close and reopen gpedit.msc. Whereas your policy resets after computer reboot. Ironically my DisableAntiSpyware registry key is the only thing that successfully turns off Defender (but for only ~5min).
The rest of my GP work fine and they are: [Disabled]Configure Automatic Updates, [Enabled]Do not include drivers with Windows Updates, and [Enabled]Turn off real-time protection. The final step I’m thinking of doing is to run DISM and SFC but I’ll do that once I’m confident the latest Windows Update is stable enough to install.
Could I ask what OS build and Windows Defender version you’re running on? I want to confirm that we’re on the same page. Here’s mine:
OS Build: 19041.388
Windows Defender: 4.18.2008.4
I have had to turn Windows Defender back on in Windows 10 2004. Not sure Pheckpul is fully aware. Been working on a new Golden Image for work, and Windows Defender is a pain!
The Group Policy resets and disables its self. The same goes for Registry items. It has been really annoying…
Those silly federal security requirements, Microsoft wishes they could ignore them.
Too bad for the hundreds of millions of people running Home and Pro who will have their data stolen by MS.
The US government is obviously lost. What is the EU doing about all this? The EU is fine with US corporations stealing the data of practically every European?
“Most third-party antivirus solutions come with options to turn off the protection. While not advised, the programs do give users the choice to do so if they choose that option.”
It IS advised to disable Defender as no two real-time A/V apps should run at the same time.
Run Autoruns as admin and slaughter everything with the word defender in it. It defends absolutely nothing, except Microsofts revenue streams. It should be renamed Window Offender or Windows Adkeeper. Yes, you agreed to be continuously violated and molested by Microsoft when you installed Windows 10, so this is just what you agreed to. Remember, the computer may be yours, maybe even your files too..(Hello there mr. NSA, how are you today?) but the operating system does NOT belong to you. Someone people listen to and believe should post a video showing exactly what’s going on all the time in the background on a Windows 10 system. That would ruffle some feathers! So, linux: Any takers? Anyone?
“So, linux: Any takers? Anyone?”
Good to see the Linux preachers still out in force trying to convert the ‘heathens’ ;-)
But as Ive said before: Linux/Ubuntu is simply not suitable for many many laptops because of the well known issue of “high CPU / constantly running fans” .
“The first made Microsoft Defender Antivirus flag hosts file manipulations as malicious if they contained entries for certain Microsoft servers, mostly Telemetry servers used to submit data from the Windows 10 device to Microsoft.”
Nothing explains better what’s the purpose behind the development of Win10 inOS! ;)
If only all the data gathered was used to achieve what users really want:
-more stablity and performance
-stable and secure updates
-no useless processes running in background
-no useless resource consuming data gathering
WD? WF? Never used and never will, it offers a little protection at a high price (nothing’s free) and causes a lot of problems. I prefer to rely on the protection offered by the european ESET, not only has a little footprint and respects user choice in regards to data submission, but also it’s able to block Win10 spywa.
Windows Defender has been topping the virus-testing lab charts for a couple of years now, so it’s not offering ‘a little protection’…
I just checked and I have 4.18.2007.8 and DisableAntiSpyware still works, even the one on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender works as expected with the button asking to enable services. But even without DisableAntiSpyware as long as Tamper Protection is off just disabling the RealTimeMonitoring should be okay for most people. People can also disable defender services, so it really gets disabled.
I mean, if people want to disable it, they can really do it, if they are tech savvy to want to disable Defender and use internet without any antivirus or anything, then they will be able to turn it off without any 3rd party app. But you know, most people don’t even care or know about Defender to really want to disable it, many probably installed a 3rd party antivirus anyway since they think windows has no protection at all like old days, so I think it will be the same situation we lived before the supposedly removal of DisableAntiSpyware, Disabling it won’t be as easy as adding the registry key obviously, but it is still not difficult to do.
So it’s “should”, “may” and “unclear” as far working around it goes. It would have been far more useful to wait until you actually know.
I have successfully uninstalled Windows defender on each version of Windows 10; uninstalled it in its entirely.There are no folders left on C: drive and the icon on the taskbar removed. I use a mixture of gpedit.msc, take ownership command and safe mode. I am currently running Windows 10 v 2004 19041.450. My main antivirus is Avast Premium.I am not a techie but 69 years old and had computers since the Amstrad, Dos and various Windows 3.1 variations and the good old Spectrum!
Use Defender Control from Sordum to disable it. I have found using this tool will also leave it disabled after a reboot.
Take a good long look at “automatic sample submission” in Cloud-delivered Protection.
Proof there is a fully open backdoor for Microsoft to covertly steal any data on your PC. You think that little switch on the GUI ensures MS can’t enable it through Windows Update, or through Defender’s updates? Defender phones home to MS hundreds of times per day, it constantly scans all file access and monitors your browser history. You must be a fool to think Microsoft is not datamining your data from third party apps.
You already know what the excuse will be “Oh, it was a bug, we’ll fix it in a future update one of these days maybe. Meanwhile, no you cannot turn off Defender.”
This company should be sued 100x by the EU for espionage and cybercrime. They are literally doing worse than Chinese malware or Avast and other software that has been classified as UNSAFE. Why are people so foolish to trust a multinational corporation with known ties to espionage agencies, China, and a history of selling data to the highest bidder? Not even counting the actual bugs in Windows that hackers easily exploit.
I use a portable program from Sordum called Defender Control…it allows me to to turn Defender off/on with one click. Whenever I tried to download the NirSoft Package, Defender would block about 1/2 dozen programs and I got tired of going through the process of allowing them
If an average user has no third party AV installed, Defender should remain enabled. I’ve used a number of third party AV’s and without exception, they all disabled Defender automatically during install.
We use Win 10 Pro, Home is banned here, it’s adware. No Defender either, why give MS even more of your info? Beside, Defender is slug slow.
Group Policy still works, also our Hosts files with maybe just a few MS addresses set to 0.0.0.0, still exist.
The Hosts file thing is not directly related to the Defender issue.
Chredge? Ha! Ha! Ha! Ha!
Now there’s a nice little market for Avast: release a program that completely removes Windows Defender and never ever allows it back. That’s all the program does, installs nothing else and more importantly: doesn’t even TRY to install anything else by avast software and doesn’t call home EVER. How about THAT, avast, you desperate sad abusive little insignificant piece of digital supergarbage, I would PAY for that program. Now get to work and make it happen.
Defender Control ( https://www.sordum.org/9480/defender-control-v1-6 ) â¤
Ive finally moved to win10 a month ago, and PC is strong, and now I ditched Avast [after long knowing they got sold to Chinese or so…]
Now most reviews say WIN Defender is quite good, and so- I decided to not look for no AntiVirus [no avast, no kaspersy, norton, avg,…] and settle for Win Defender…
Is that not good enough, what do u guys think [why hate it so much lol]
I’m confused. Isn’t group policy just switch for registry? Are they linked to the same keys?
This is scary! Soon we won’t have any freedom on Windows. What if I choose not to use any anti virus programs on my VM?
Someone needs to grab Microsoft Virus Initiative api code and share it to the public. That way we can register a dummy program as a antivirus software to disable Defender.
new Defender Control 2.0 version makes it EASY to disable Windows Defender in both Windows 10 & Windows 11