Forum Discussion
Change tamper protected settings permanently
Hi there,
I need to disable real-time monitoring permanently on a device. I can turn it off temporarily using troubleshooting mode but once tamper protection is back on, so is real-time monitoring.
How do we actually permanently change tamper protected settings?
8 Replies
Tamper Protection enforces real-time monitoring (even if disabled in policies), so you must disable Tamper Protection to turn off real-time monitoring.
If you have Intune, you can use a Windows Security Experience policy to disable Tamper Protection on devices in the group you target with the policy. You can find this policy under Endpoint security - Antivirus - Create policy - Windows / Windows Security Experience.
Once applied to the device, you will then be able to disable real-time protection.
Bump?
Defender being part of the OS, it is really hard to disable. You may try these-
1. Offboard MDE by the offboarding script, and see if it gets into passive mode.
2. ForceDefenderInPassiveMode, set the below registry value to force defender in passive mode (caution, there must be another AV to continue monitoring and protection)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\ForceDefenderPassiveMode = 1
3. AV policy changes -- check for 'Disable Local Admin Merge' and set it to false to allow the local admins to make AV configuration changes at host level.
Thanks for your reply I'm specifically looking to disable real-time protection but want to have defender still running for scheduled scans. Any suggestions on that?
