New
#280
See above. The Defender Control app works. It manages to disable it.
Yeah, but disabling has been disabled. It just doesn't work any more even if Tamper Protection is turned off.
I'm not sure if this depends on the initial Windows installation (installed from Windows 20H2 ISO or a previous one), or if Microsoft flipped the switch somehow recently...
If you enable Windows Defender now and enable the Tamper Protection, and then restart the computer, would you still be able to disable the Defender?
If yes then the 20H2 ISO was the one who disabled the Defender disabling. If Windows is installed from the older Windows version then it should be still possible to disable the Defender.
Yeah, I know. That's how I disabled it before. But now after the clean install with Windows 20H2 it doesn't any more. Tamper Protection stays off after a reboot, but the option to disable the Defender doesn't work at all. Nothing happens. Whereas before it would stop it the moment I change the option in the Group Policy.
I am on LTSC and can confirm tamper protection is off, as is documented by microsoft.
I ran the powershell command.
Get-MpComputerStatus
IsTamperProtected : False
I tried manually editing the group policy key and ran gpupdate but it just gets removed. I dont want to resort to putting in older binaries or renaming executable's so I will continue to research this.
Currently my real time is still disabled since yesterday, so the good news at least is that the UI widget toggle seems to last at least 24 hours.
For LTSC this method still works. However, it does require using an older version of Defender.
Yeah I just said that I wont be doing that, its way too hacky and maybe other repercussions to using older binaries. In my case I still want the memory exploit protections, I just want to disable the file scanning.
My current idea is to add a scheduled task which toggles the widget off at boot, and then every 24 hours as well.
It is great you figured that out though. So we have one working method at least.
- - - Updated - - -
--edited it with final solution--
Ok here is what I have done.
First of all the script, is very basic runs a powershell command to toggle the real time protection mode. I will also attach the file.
I copied it to program files folder, although it doesnt need to be there but thats my preference. Name "Defender-Realtime-Disable.cmd"Code:@echo off powershell.exe -windowstyle hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
Now I have added a task in task scheduler.
First one called RenewDisableDefenderRT
Run on event
event log Windows/Windows Defender/Operational log
event id 5000
Run whether user is logged in or not, supply credentials, does not need to be the hidden admin account, and also does not need run with highest privileges ticked. But probably wont work on limited user accounts.
Actions, start a program, put in the script, in my case "C:\Program Files\Defender-Realtime-Disable.cmd"
Untick everything in conditions
Settings, allow task to run on demand (good for testing it) and stop if still running after an hour just to be on safe side.
Thats it, the only downside I see at the moment is when it runs there is a brief notification the protection is disabled. Probably can be muted in the notification settings if so desire, there wont be a powershell window popup.
I tested it a few times and works a treat, I enable it, then within a minute it auto disabled again, so this should not need agressive every minute tasks as well as worrying about the timing of a daily task, it will just run when it needs to. I recorded a clip of it in action, the reason I like this so much as well is because if I want to use the realtime protection all I merely need to do is disable the task, no need to move binaries around etc. In the future I am likely to use it again, as I do want the ransomware protection from it.
I have uploaded a clip of it in action here, I will post an update of how to add the task this way later.
2021-02-03_09-33-07
I also added a second script to run every hour with commandsince I disable auto windows update this will ensure defender stays updated on its signatures.Code:powershell.exe -windowstyle hidden -Command "Update-MpSignature"
Last edited by Chrysalis; 07 Feb 2021 at 15:20.