0
I'm interested to know whether there is theoretically any way for someone with local administrator access to a computer connected to a domain to disable or enable Windows Defender regardless of what the group policy is set to?
I understand there's a kernel mode driver in action that prevents one from editing the specific registry keys, so it might be that all that it takes is reduced security startup / safe mode? If this is not possible at all, I can say I'd be shocked - with Windows, it's always been about 'how' not 'if'!
NeroS
Posted 2017-02-08T15:02:30.877
Reputation: 151
Can't say I know how, but I can confirm that I just got a virus that changed the registry key to disable windows defender without my permission (well, I was stupid and ran the program with admin rights i think, so that sort of constitutes as permission). But anyway, this is in fact possible via an .exe file somehow. Then again, this was a personal computer with one account, no domain involved – Blaine – 2017-02-08T15:06:08.183
2A domain group policy will override any local group poilicy set by a local Administrator. What pratical problem are you trying to solve exactly? – Ramhound – 2017-02-08T15:09:30.087
There's no practical problem I need to solve, it's more of a "can it be done at all" thing. I like bending software to do things it was never meant to do, and Windows is superb for that. Overriding Windows Defender is the first thing I've ran into that I haven't found a clear path around on Windows 10. I guess in theory I'm making assumptions that local physical disk permissions take higher priority in terms of preventing/allowing access, over domain access, but then I guess there's the "Take Ownership"... this is where open source Windows would be handy :( – NeroS – 2017-02-09T07:05:16.960
Right now I have an issue where defender turns on regardless of group policy settings. So maybe this bug could be utilised to your benefit. – rolls – 2020-02-07T01:51:06.630