How to disable Windows Defender via PowerShell on Windows 10 version 1903+?

5

2

So, I need to automatically disable Windows Defender for certain virtual machines via a PowerShell script. Previous to the May update, one could set the DisableAntiSpyware and DisableRoutinelyTakingAction in the registry and Defender was disabled.

Now with version 1903, this doesn't seem to work anymore. Even with disabling the Anti temper protection via registry and rebooting, I only get a permission denied when trying to set the two registry values.

Does anyone have ideas how I could solve this? I tried using the Invoke-CommandAs to do this as SYSTEM, however this didn't work either sadly.

Nirusu

Posted 2019-06-12T14:42:48.763

Reputation: 71

Please provide some details on the properties of those two keys. You might want to try adding the user who runs the script to the list of users with read/write access. – Ramhound – 2019-06-12T17:29:19.400

So, are you saying, you want no AV on those hosts? Historically, if so, MP gets disabled when you install another AV solution. – postanote – 2019-06-13T05:25:54.657

The two keys disable the on-demand scanner and Windows Defender automatically taking action if it detects anything (e.g. scheduled scan). Yes, I want no AV on these hosts. They're just virtual machines for security research, so an AV on those would be pretty annoying. – Nirusu – 2019-06-13T07:52:31.837

The typical answer to OP's question would be to use Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableRealtimeMonitoring $false However, it seems that since 1903 update (the Windows version which OP is asking about), Microsoft has disabled this ability - and there seems to be a complete lack of information about it online right now. – OrangeIsALie – 2019-06-24T19:52:52.203

Answers

2

Okay, I guess I found a way.

Either use Defender Control or elevate a PowerShell session TrustedInstall (SYSTEM is not enough!), stop and disable the service and afterwards create the registry key. For elevation, I used the seperate tool RunAsTi.

This is what I used:

Stop-Service WinDefend
Set-Service WinDefend -StartupType Disabled
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableRoutinelyTakingAction" -Value 1

Now, this works so far. However, I still need to automate it that it works completely standalone, e.g. I have to develop the elevation part in PowerShell.

Nirusu

Posted 2019-06-12T14:42:48.763

Reputation: 71

is there any way to run PS as TrustedInstall w/o any 3rd party tools? – Vladimir Ishenko – 2019-08-19T19:48:26.453

It's not quite w/o 3rd party tools, but you can use the NTObjectManager in combination with its New-Win32Process to spawn a PS instance as a child from trustedinstaller.exe. Internally, I have used this as a solution: Install the NtObjectManager module, start the TrustedInstaller service, use New-Win32Process and run powershell with the above commands encoded.

– Nirusu – 2019-09-03T08:00:15.860

UPD: RunAsTi seems not working anymore. Can't catch crash log because it spawns in new cmd instance and instantly disappears. I found NSudo working nice. https://github.com/M2Team/NSudo

– Vladimir Ishenko – 2019-10-01T12:51:11.503

Asked: 2019-06-12T14:42:48.763

Viewed: 2 633 times

Active: 2019-06-25T02:53:47.487