47

I like to disable Windows Defender Real Time Protection via GPO on Windows 10 Pro. When I configure GPO, Real-Time Protection is shown as off. However after a reboot the Protection is magically enabled again.

GPO settings have not changed. I am trying to disable Real Time Protection to be able to analyze and reverse engineer malware.

In addition even if Windows tells me Real Time Protection is managed by the administrator it is still enabled in the back.

I really wonder if there is a way to completely disable Windows Defender + Real Time Protection or if Microsoft made this impossible.

5 Answers5

81

In newer versions of Windows, Group Policy settings for Microsoft Defender are reverted back.
To prevent this, before changing them:

  1. Open Resource Monitor (type resmon.exe in the search box)
  2. Overview
  3. Find MsMpEng.exe in the list
  4. Right-click > Suspend Process

In Windows 10 1903, Tamper Protection was added.
Tamper Protection must be disabled before changing Group Policy settings, otherwise these are ignored.

  1. Open Windows Security (type Windows Security in the search box)
  2. Virus & threat protection > Virus & threat protection settings > Manage settings
  3. Switch Tamper Protection to Off

To permanently disable real-time protection:

  1. Open Local Group Policy Editor (type gpedit.msc in the search box)
  2. Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
  3. Enable Turn off real-time protection
  4. Restart the computer

To permanently disable Microsoft Defender:

  1. Open Local Group Policy Editor (type gpedit.msc in the search box)
  2. Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
  3. Enable Turn off Microsoft Defender Antivirus
  4. Restart the computer
  • 5
    Using Windows 10, version 10.0.19045, I can't suspend MsMpEng.exe (access denied, even with resmon.exe run as admin), but the remaining steps still work. After restarting, real-time protection is still disabled. Thanks! – Daniel Schuler Apr 12 '23 at 13:49
  • 1
    it doesn't work anymore – John Wales Apr 26 '23 at 20:05
11
  • Regedit.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
  • New > DWORD DisableAntiSpyware
  • Set it to 1
  • Reboot

If it doesn't work then one more step:

  • Regedit.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection (create this key if not existing)
  • New > DWORD DisableBehaviorMonitoring; set it to 1
  • New > DWORD DisableOnAccessProtection; set it to 1
  • New > DWORD DisableScanOnRealtimeEnable; set it to 1
  • Reboot

You can also save the code below to disable_realtime_protection.reg and run

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
luchaninov
  • 233
  • 1
  • 3
  • 8
6

I tried all suggestions here prior to today and tried this, this, this.

The only thing that works right now, Jan 2021, is a version of this. I have to run this every time I boot Windows 10. Sometimes even during the day, Defender will enable itself. Argh! So i have to run it again. Because of all this manual labor, I set up a Shortcut Key Ctrl + Shift + Alt + F12 to run the disable command. After pressing that shortcut I have to still answer Yes to the "Allow this program to make changes" dialog.

Steps

  1. Right click on your desktop then select New then Shortcut. Leave this on your desktop so that Windows finds the shortcut key.
  2. In the Target box type this code.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true
  1. In the Shortcut key box press any key you want to use to run this shortcut. I used Ctrl + Shift + Alt + F12.

enter image description here

  1. Press Advanced then enable Run as administrator.

enter image description here

  1. Press OK twice. You're done.

You should know that Windows will keep annoying you with notifications to turn on virus protection. It's non stop madness ... in the battle to reclaim CPU power from the sharp clutches of Mr. Evil Real-time Defender of MS. Just ignore it.

I hope MS sees this and fixes this because it's so obtrusive of them to force real-time defender on all the time. It grinds my fast computer to a crawl.

Saj
  • 171
  • 1
  • 2
  • which version of windows were you using? Win10 LTSC 2019 works by group policy alone. LTSC 2021 (21H2) you have to go into the `Virus & thread protection` menu and disable tamper protection. Logged in as Administrator – Jon Grah Dec 02 '22 at 14:20
  • not working with the latest version, maybe with the temper thing added? – Facundo Colombier Jun 13 '23 at 15:12
  • Yes, not working for me either. MS Win now deletes any file with -DisableRealtimeMonitoring. Even text files. So on start up that file can't run. Wow. I get this done another way, which I won't post here so that they don't take that away too. I'll share it with you privately, some how. – Saj Jun 16 '23 at 20:48
1

MS has no longer supportted DisableAntiSpyware, they use many tricks to protect MsMpEng.exe and related registry item.

If you actually want to disable Windows Defender, using WinPE or WRE to edit registry offline.

--------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableAntiVirus"=dword:00000001
--------------------------------------------------------------------------

These items are protected online, so you cannot modify them, that's why using WinPE or WRE.

1

I found this utility very useful against Windows Defender and it works on my latest version of windows 10 machine.

enter image description here

According to their official creator Defender Control is a portable tool featured within a simplistic UI that permits you to one-click disable/enable or even launch Windows Defender. The need to disable Windows Defender can help speed up the overall time when you find yourself copying large amounts of data to and from your PC or USB or having a conflict between Windows Defender and another type of antivirus solution. It can also benefit users with a machine that is a little light on resources or have a top-notch alternative installed.

Elizabeth Harper
  • 11
  • 2