Jump to content

Recommended Posts

Posted

Looking for some help with disabling MS Antivirus with the OSOT (latest version). Doesn't look like the OSOT actually disables Antivirus on Windows 11 23H2. I have noticed after running OSOT and provisioning desktops that a lot of CPU is still taken up by MS AV. On Windows 10 22H2 after running the OSOT to disable the MS AV, the service is disabled properly. Also notice there are more services on Windows 11 with regards to Defender, so maybe that has something to do with it.

Setup: I have the Disable Antivirus set in common options and also leave the recommended settings during optimize

image.png.5d9c9de2bb67386b7216bdcc26f5fb5d.png

but it seems to fail on reconfiguring the service as well as the registry for the service

image.thumb.png.d72408e43a59404a3fda411ee534fd03.png

 

Can't seem to change this to a 4 like OSOT wants to do 

image.thumb.png.b20a25734e3af8ef8e67e6c635cad719.png

 

 

Anyone else disable the Microsoft Defender AV successfully via OSOT on Windows 11 23H2? P.S - We run Carbon Black Cloud Sensor currently but are moving to Cortex XDR agent which takes over for Defender AV.

Posted

Does this old (elevated) PowerShell trick still work?

 

Set-MpPreference -DisableRealtimeMonitoring $true -Force

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiVirus' -Value 1

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'ServiceKeepAlive' -Value 0

 

  • Insightful 1

Regards,

Guy

@guyrleech

Posted

Hi Jeremy,
I tried it using Win 11 23H2 and OSOT 1.2.2406 and it does disable Defender generally.
image.png.aa6cc3c9142864e36dbd7540a594a21f.png

OSOT configures the "Turn off Microsoft Defender Antivirus" registry key (DisableAntiSpyware=1) as well.
However I agree that the Defender services are still running on my machine, too.

Try Guy's commands above. Additionally there are some scripts / tools on Github which might process the last step to disable the services.
 

   
  • 2 weeks later...
Posted
On 11/12/2024 at 10:43 AM, Guy Leech said:

Does this old (elevated) PowerShell trick still work?

 

Set-MpPreference -DisableRealtimeMonitoring $true -Force

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiVirus' -Value 1

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'ServiceKeepAlive' -Value 0

 

Not really, I still see the Windows AV service running and taking up CPU upon user logon and still can't disable the entire service as its protected still. Wondering if this is just how Defender AV is going to work on Windows 11.

  • Employee
Posted

Disabling Defender got really hard over the last few years and was starting to prove unreliable to do so. We reevaluated the need for this and changed the default OSOT to not disable Defender. We did discuss removing hte option altogether but decided against that at the time.

Part of the reasoning in this, was that we saw little or no performance gain when it was disabled. We also got feedback that many organizations would be uncomfortable with not running something like this on their desktops. If a third-party intrusion/ antivirus solution is installed, it changes Defender to manual start anyway.

  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...