Forum Discussion

winny123's avatar
winny123
Copper Contributor
Jun 29, 2025

Change tamper protected settings permanently

Hi there, I need to disable real-time monitoring permanently on a device. I can turn it off temporarily using troubleshooting mode but once tamper protection is back on, so is real-time monitoring. ...
winny123's avatar
winny123
Copper Contributor
Jul 03, 2025

Bump?

  • cssns's avatar
    cssns
    Brass Contributor
    Jul 08, 2025

    Defender being part of the OS, it is really hard to disable. You may try these-

    1. Offboard MDE by the offboarding script, and see if it gets into passive mode.

    2. ForceDefenderInPassiveMode, set the below registry value to force defender in passive mode (caution, there must be another AV to continue monitoring and protection)

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\ForceDefenderPassiveMode = 1

    3. AV policy changes -- check for 'Disable Local Admin Merge' and set it to false to allow the local admins to make AV configuration changes at host level. 

    • winny123's avatar
      winny123
      Copper Contributor
      Jul 08, 2025

      Thanks for your reply I'm specifically looking to disable real-time protection but want to have defender still running for scheduled scans. Any suggestions on that?

      • cgerling's avatar
        cgerling
        Copper Contributor
        Jul 22, 2025

        You could build a dedicated Defender Antivirus Policy in Intune which disable "real-time protection" and assigned it to a specific Device Group in Entra.

        Could I ask you a question ? Why would you diasble "real-time protection" ? If it is on purpose because a LOB Application ist not running - is there no chance to work with exclusions ?