Forum Discussion
Change tamper protected settings permanently
Bump?
Defender being part of the OS, it is really hard to disable. You may try these-
1. Offboard MDE by the offboarding script, and see if it gets into passive mode.
2. ForceDefenderInPassiveMode, set the below registry value to force defender in passive mode (caution, there must be another AV to continue monitoring and protection)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\ForceDefenderPassiveMode = 1
3. AV policy changes -- check for 'Disable Local Admin Merge' and set it to false to allow the local admins to make AV configuration changes at host level.
Thanks for your reply I'm specifically looking to disable real-time protection but want to have defender still running for scheduled scans. Any suggestions on that?
You could build a dedicated Defender Antivirus Policy in Intune which disable "real-time protection" and assigned it to a specific Device Group in Entra.
Could I ask you a question ? Why would you diasble "real-time protection" ? If it is on purpose because a LOB Application ist not running - is there no chance to work with exclusions ?To my knowledge, you have to create a new AV policy with "local admin merge" disabled and enforce it on this scoped device only. Once done, then you can disable RTP with below PS command..
Set-MPPreference -DisableTamperProtection $true
Woah okay I haven't heard of this before! Do you think it can be done on group policy or the defender portal? Thanks for replying still
