Forum Discussion
Change tamper protected settings permanently
Bump?
- cssnsJul 08, 2025Brass Contributor
Defender being part of the OS, it is really hard to disable. You may try these-
1. Offboard MDE by the offboarding script, and see if it gets into passive mode.
2. ForceDefenderInPassiveMode, set the below registry value to force defender in passive mode (caution, there must be another AV to continue monitoring and protection)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\ForceDefenderPassiveMode = 1
3. AV policy changes -- check for 'Disable Local Admin Merge' and set it to false to allow the local admins to make AV configuration changes at host level.
- winny123Jul 08, 2025Copper Contributor
Thanks for your reply I'm specifically looking to disable real-time protection but want to have defender still running for scheduled scans. Any suggestions on that?
- cgerlingJul 22, 2025Copper Contributor
You could build a dedicated Defender Antivirus Policy in Intune which disable "real-time protection" and assigned it to a specific Device Group in Entra.
Could I ask you a question ? Why would you diasble "real-time protection" ? If it is on purpose because a LOB Application ist not running - is there no chance to work with exclusions ?