Jeremy Lippert Posted November 7 Posted November 7 Looking for some help with disabling MS Antivirus with the OSOT (latest version). Doesn't look like the OSOT actually disables Antivirus on Windows 11 23H2. I have noticed after running OSOT and provisioning desktops that a lot of CPU is still taken up by MS AV. On Windows 10 22H2 after running the OSOT to disable the MS AV, the service is disabled properly. Also notice there are more services on Windows 11 with regards to Defender, so maybe that has something to do with it. Setup: I have the Disable Antivirus set in common options and also leave the recommended settings during optimize but it seems to fail on reconfiguring the service as well as the registry for the service Can't seem to change this to a 4 like OSOT wants to do Anyone else disable the Microsoft Defender AV successfully via OSOT on Windows 11 23H2? P.S - We run Carbon Black Cloud Sensor currently but are moving to Cortex XDR agent which takes over for Defender AV.
Guy Leech Posted November 12 Posted November 12 Does this old (elevated) PowerShell trick still work? Set-MpPreference -DisableRealtimeMonitoring $true -Force Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiVirus' -Value 1 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'ServiceKeepAlive' -Value 0 1 Regards, Guy @guyrleech
Philipp Siebers Posted November 12 Posted November 12 Hi Jeremy, I tried it using Win 11 23H2 and OSOT 1.2.2406 and it does disable Defender generally. OSOT configures the "Turn off Microsoft Defender Antivirus" registry key (DisableAntiSpyware=1) as well. However I agree that the Defender services are still running on my machine, too. Try Guy's commands above. Additionally there are some scripts / tools on Github which might process the last step to disable the services.
Jeremy Lippert Posted November 21 Author Posted November 21 On 11/12/2024 at 10:43 AM, Guy Leech said: Does this old (elevated) PowerShell trick still work? Set-MpPreference -DisableRealtimeMonitoring $true -Force Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiVirus' -Value 1 Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'ServiceKeepAlive' -Value 0 Not really, I still see the Windows AV service running and taking up CPU upon user logon and still can't disable the entire service as its protected still. Wondering if this is just how Defender AV is going to work on Windows 11.
Employee Graeme Gordon Posted November 27 Employee Posted November 27 Disabling Defender got really hard over the last few years and was starting to prove unreliable to do so. We reevaluated the need for this and changed the default OSOT to not disable Defender. We did discuss removing hte option altogether but decided against that at the time. Part of the reasoning in this, was that we saw little or no performance gain when it was disabled. We also got feedback that many organizations would be uncomfortable with not running something like this on their desktops. If a third-party intrusion/ antivirus solution is installed, it changes Defender to manual start anyway. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now