Forum Discussion
Windows 11 Defender not responding at all - No online solutions working.
Hello all! This is my first post on here, so i am sorry if i maybe mess something up with the formatting or so. But i have been having an issue ever since i got Windows 11 for my Surface Pro 4, whic...
I have finally (!) resolved the issue. However, i was forced to do a reset of my system. It seems to be working reliably now, even after a restart. Hopefully this problem does not reappear. I honestly think ill sell my Surface Pro if it does - It's just not worth spending so much time for.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
That's the Registry-Editor's path of control by Group Policy.
If not already there, select on Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft and rightclick on it, select NEW, select KEY and name it Windows Defender. What you put in there as config, will be enforced without the need of opening the Windows Defender itself.
I don't know how familiar you are with Registry, but I give you here a compilation of settings that I use on an extreme turning off configuration. Uhm. I will delete as many keys possible that are not required for your intention. Please always look up what a key does, Google or check the
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
values in
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
coz that's the exact path for your Windows Defender on currently active settings.
So, this is what I enforced for real time protection:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableBehaviorMonitoring"=dword:00000001
"DisableScriptScanning"=dword:00000001
"DisableRawWriteNotification"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
"LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
"LocalSettingOverrideDisableIOAVProtection"=dword:00000000
"LocalSettingOverrideRealtimeScanDirection"=dword:00000000
"LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
"RealtimeScanDirection"=dword:00000002
"IOAVMaxSize"=dword:00000001
That's the Registry-Editor's path of control by Group Policy.
If not already there, select on Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft and rightclick on it, select NEW, select KEY and name it Windows Defender. What you put in there as config, will be enforced without the need of opening the Windows Defender itself.
I don't know how familiar you are with Registry, but I give you here a compilation of settings that I use on an extreme turning off configuration. Uhm. I will delete as many keys possible that are not required for your intention. Please always look up what a key does, Google or check the
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
values in
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
coz that's the exact path for your Windows Defender on currently active settings.
So, this is what I enforced for real time protection:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableBehaviorMonitoring"=dword:00000001
"DisableScriptScanning"=dword:00000001
"DisableRawWriteNotification"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
"LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
"LocalSettingOverrideDisableIOAVProtection"=dword:00000000
"LocalSettingOverrideRealtimeScanDirection"=dword:00000000
"LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
"RealtimeScanDirection"=dword:00000002
"IOAVMaxSize"=dword:00000001
uhm... well, since I see this post here even shows up detected by Google...
Well, I don't know but I guess more people that use 21390.2025 builds from Windows Insider Builds might find this post here too. Please, delete keys you don't need or know what they are. You will see what I did set, make it the opposite if you rather wanna be protected but have certain things set right. This here is just to show all key setting names, so you can then make your own values. *puts on an insecure smile*
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"ServiceKeepAlive"=dword:00000000
"AllowFastServiceStartup"=dword:00000000
"ProxyBypass"="*"
"RandomizeScheduleTaskTimes"=dword:00000000
"DisableRoutinelyTakingAction"=dword:00000001
"DisableAntiSpyware"=dword:00000001
"ProxyServer"="*"
"DisableLocalAdminMerge"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
"DisableAutoExclusions"=dword:00000000
"Exclusions_Extensions"=dword:00000001
"Exclusions_IpAddresses"=dword:00000001
"Exclusions_Paths"=dword:00000001
"Exclusions_Processes"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions]
"exe"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\IpAddresses]
"*"="0"
"192.168.0.2"="0"
"localhost"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes]
"\"C:\\Windows\\System32\\sethc.exe\""="0"
"\"C:\\Windows\\System32\\cmd.exe\""="0"
"\"C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"EnableFileHashComputation"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS]
"DisableDatagramProcessing"=dword:00000000
"DisableProtocolRecognition"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS]
"DisableSignatureRetirement"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine]
"LocalSettingOverridePurgeItemsAfterDelay"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableBehaviorMonitoring"=dword:00000001
"DisableScriptScanning"=dword:00000001
"DisableRawWriteNotification"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
"LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
"LocalSettingOverrideDisableIOAVProtection"=dword:00000000
"LocalSettingOverrideRealtimeScanDirection"=dword:00000000
"LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
"RealtimeScanDirection"=dword:00000002
"IOAVMaxSize"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation]
"LocalSettingOverrideScan_ScheduleTime"=dword:00000000
"Scan_ScheduleDay"=dword:00000008
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
"CriticalFailureTimeout"=dword:00000000
"DisableGenericRePorts"=dword:00000001
"DisableEnhancedNotifications"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan]
"DisableArchiveScanning"=dword:00000001
"DisableScanningNetworkFiles"=dword:00000001
"DisableRemovableDriveScanning"=dword:00000001
"DisableRestorePoint"=dword:00000001
"DisableScanningMappedNetworkDrivesForFullScan"=dword:00000001
"AllowPause"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"DisableScanOnUpdate"=dword:00000001
"ScheduleDay"=dword:00000008
"DisableUpdateOnStartupWithoutEngine"=dword:00000001
"UpdateOnStartUp"=dword:00000000
"MeteredConnectionUpdates"=dword:00000000
"DisableScheduledSignatureUpdateOnBattery"=dword:00000001
"ForceUpdateFromMU"=dword:00000000
"RealtimeSignatureDelivery"=dword:00000000
"SignatureDisableNotification"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen]
"ConfigureAppInstallControlEnabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"LocalSettingOverrideSpynetReporting"=dword:00000000
"DisableBlockAtFirstSeen"=dword:00000001
"SpynetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
"UILockdown"=dword:00000000
"Notification_Suppress"=dword:00000001
"SuppressRebootNotification"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR]
"ExploitGuard_ASR_ASROnlyExclusions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
"EnableControlledFolderAccess"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection]
"EnableNetworkProtection"=dword:00000000
"AllowNetworkProtectionOnWinServer"=dword:00000000
#
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"ServiceKeepAlive"=dword:00000000
"AllowFastServiceStartup"=dword:00000000
"ProxyBypass"="*"
"RandomizeScheduleTaskTimes"=dword:00000000
"DisableRoutinelyTakingAction"=dword:00000001
"DisableAntiSpyware"=dword:00000001
"ProxyServer"="*"
"DisableLocalAdminMerge"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
"DisableAutoExclusions"=dword:00000000
"Exclusions_Extensions"=dword:00000001
"Exclusions_IpAddresses"=dword:00000001
"Exclusions_Paths"=dword:00000001
"Exclusions_Processes"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions]
"exe"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\IpAddresses]
"*"="0"
"192.168.0.2"="0"
"localhost"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes]
"\"C:\\Windows\\System32\\sethc.exe\""="0"
"\"C:\\Windows\\System32\\cmd.exe\""="0"
"\"C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"EnableFileHashComputation"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS]
"DisableDatagramProcessing"=dword:00000000
"DisableProtocolRecognition"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS]
"DisableSignatureRetirement"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine]
"LocalSettingOverridePurgeItemsAfterDelay"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableBehaviorMonitoring"=dword:00000001
"DisableScriptScanning"=dword:00000001
"DisableRawWriteNotification"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
"LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
"LocalSettingOverrideDisableIOAVProtection"=dword:00000000
"LocalSettingOverrideRealtimeScanDirection"=dword:00000000
"LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
"RealtimeScanDirection"=dword:00000002
"IOAVMaxSize"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation]
"LocalSettingOverrideScan_ScheduleTime"=dword:00000000
"Scan_ScheduleDay"=dword:00000008
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
"CriticalFailureTimeout"=dword:00000000
"DisableGenericRePorts"=dword:00000001
"DisableEnhancedNotifications"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan]
"DisableArchiveScanning"=dword:00000001
"DisableScanningNetworkFiles"=dword:00000001
"DisableRemovableDriveScanning"=dword:00000001
"DisableRestorePoint"=dword:00000001
"DisableScanningMappedNetworkDrivesForFullScan"=dword:00000001
"AllowPause"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"DisableScanOnUpdate"=dword:00000001
"ScheduleDay"=dword:00000008
"DisableUpdateOnStartupWithoutEngine"=dword:00000001
"UpdateOnStartUp"=dword:00000000
"MeteredConnectionUpdates"=dword:00000000
"DisableScheduledSignatureUpdateOnBattery"=dword:00000001
"ForceUpdateFromMU"=dword:00000000
"RealtimeSignatureDelivery"=dword:00000000
"SignatureDisableNotification"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen]
"ConfigureAppInstallControlEnabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"LocalSettingOverrideSpynetReporting"=dword:00000000
"DisableBlockAtFirstSeen"=dword:00000001
"SpynetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
"UILockdown"=dword:00000000
"Notification_Suppress"=dword:00000001
"SuppressRebootNotification"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR]
"ExploitGuard_ASR_ASROnlyExclusions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
"EnableControlledFolderAccess"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection]
"EnableNetworkProtection"=dword:00000000
"AllowNetworkProtectionOnWinServer"=dword:00000000
Well, I don't know but I guess more people that use 21390.2025 builds from Windows Insider Builds might find this post here too. Please, delete keys you don't need or know what they are. You will see what I did set, make it the opposite if you rather wanna be protected but have certain things set right. This here is just to show all key setting names, so you can then make your own values. *puts on an insecure smile*
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"ServiceKeepAlive"=dword:00000000
"AllowFastServiceStartup"=dword:00000000
"ProxyBypass"="*"
"RandomizeScheduleTaskTimes"=dword:00000000
"DisableRoutinelyTakingAction"=dword:00000001
"DisableAntiSpyware"=dword:00000001
"ProxyServer"="*"
"DisableLocalAdminMerge"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
"DisableAutoExclusions"=dword:00000000
"Exclusions_Extensions"=dword:00000001
"Exclusions_IpAddresses"=dword:00000001
"Exclusions_Paths"=dword:00000001
"Exclusions_Processes"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions]
"exe"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\IpAddresses]
"*"="0"
"192.168.0.2"="0"
"localhost"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes]
"\"C:\\Windows\\System32\\sethc.exe\""="0"
"\"C:\\Windows\\System32\\cmd.exe\""="0"
"\"C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"EnableFileHashComputation"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS]
"DisableDatagramProcessing"=dword:00000000
"DisableProtocolRecognition"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS]
"DisableSignatureRetirement"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine]
"LocalSettingOverridePurgeItemsAfterDelay"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableBehaviorMonitoring"=dword:00000001
"DisableScriptScanning"=dword:00000001
"DisableRawWriteNotification"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
"LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
"LocalSettingOverrideDisableIOAVProtection"=dword:00000000
"LocalSettingOverrideRealtimeScanDirection"=dword:00000000
"LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
"RealtimeScanDirection"=dword:00000002
"IOAVMaxSize"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation]
"LocalSettingOverrideScan_ScheduleTime"=dword:00000000
"Scan_ScheduleDay"=dword:00000008
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
"CriticalFailureTimeout"=dword:00000000
"DisableGenericRePorts"=dword:00000001
"DisableEnhancedNotifications"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan]
"DisableArchiveScanning"=dword:00000001
"DisableScanningNetworkFiles"=dword:00000001
"DisableRemovableDriveScanning"=dword:00000001
"DisableRestorePoint"=dword:00000001
"DisableScanningMappedNetworkDrivesForFullScan"=dword:00000001
"AllowPause"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"DisableScanOnUpdate"=dword:00000001
"ScheduleDay"=dword:00000008
"DisableUpdateOnStartupWithoutEngine"=dword:00000001
"UpdateOnStartUp"=dword:00000000
"MeteredConnectionUpdates"=dword:00000000
"DisableScheduledSignatureUpdateOnBattery"=dword:00000001
"ForceUpdateFromMU"=dword:00000000
"RealtimeSignatureDelivery"=dword:00000000
"SignatureDisableNotification"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen]
"ConfigureAppInstallControlEnabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"LocalSettingOverrideSpynetReporting"=dword:00000000
"DisableBlockAtFirstSeen"=dword:00000001
"SpynetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
"UILockdown"=dword:00000000
"Notification_Suppress"=dword:00000001
"SuppressRebootNotification"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR]
"ExploitGuard_ASR_ASROnlyExclusions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
"EnableControlledFolderAccess"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection]
"EnableNetworkProtection"=dword:00000000
"AllowNetworkProtectionOnWinServer"=dword:00000000
#
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"ServiceKeepAlive"=dword:00000000
"AllowFastServiceStartup"=dword:00000000
"ProxyBypass"="*"
"RandomizeScheduleTaskTimes"=dword:00000000
"DisableRoutinelyTakingAction"=dword:00000001
"DisableAntiSpyware"=dword:00000001
"ProxyServer"="*"
"DisableLocalAdminMerge"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
"DisableAutoExclusions"=dword:00000000
"Exclusions_Extensions"=dword:00000001
"Exclusions_IpAddresses"=dword:00000001
"Exclusions_Paths"=dword:00000001
"Exclusions_Processes"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions]
"exe"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\IpAddresses]
"*"="0"
"192.168.0.2"="0"
"localhost"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes]
"\"C:\\Windows\\System32\\sethc.exe\""="0"
"\"C:\\Windows\\System32\\cmd.exe\""="0"
"\"C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"EnableFileHashComputation"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS]
"DisableDatagramProcessing"=dword:00000000
"DisableProtocolRecognition"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS]
"DisableSignatureRetirement"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine]
"LocalSettingOverridePurgeItemsAfterDelay"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableBehaviorMonitoring"=dword:00000001
"DisableScriptScanning"=dword:00000001
"DisableRawWriteNotification"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
"LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
"LocalSettingOverrideDisableIOAVProtection"=dword:00000000
"LocalSettingOverrideRealtimeScanDirection"=dword:00000000
"LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
"RealtimeScanDirection"=dword:00000002
"IOAVMaxSize"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation]
"LocalSettingOverrideScan_ScheduleTime"=dword:00000000
"Scan_ScheduleDay"=dword:00000008
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
"CriticalFailureTimeout"=dword:00000000
"DisableGenericRePorts"=dword:00000001
"DisableEnhancedNotifications"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan]
"DisableArchiveScanning"=dword:00000001
"DisableScanningNetworkFiles"=dword:00000001
"DisableRemovableDriveScanning"=dword:00000001
"DisableRestorePoint"=dword:00000001
"DisableScanningMappedNetworkDrivesForFullScan"=dword:00000001
"AllowPause"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"DisableScanOnUpdate"=dword:00000001
"ScheduleDay"=dword:00000008
"DisableUpdateOnStartupWithoutEngine"=dword:00000001
"UpdateOnStartUp"=dword:00000000
"MeteredConnectionUpdates"=dword:00000000
"DisableScheduledSignatureUpdateOnBattery"=dword:00000001
"ForceUpdateFromMU"=dword:00000000
"RealtimeSignatureDelivery"=dword:00000000
"SignatureDisableNotification"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen]
"ConfigureAppInstallControlEnabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"LocalSettingOverrideSpynetReporting"=dword:00000000
"DisableBlockAtFirstSeen"=dword:00000001
"SpynetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
"UILockdown"=dword:00000000
"Notification_Suppress"=dword:00000001
"SuppressRebootNotification"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR]
"ExploitGuard_ASR_ASROnlyExclusions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
"EnableControlledFolderAccess"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection]
"EnableNetworkProtection"=dword:00000000
"AllowNetworkProtectionOnWinServer"=dword:00000000
- For making policies instantly take action, use command prompt or powershell as admin and start the ~15seconds long command:
gpupdate /force /wait:-1
Several settings but require you to restart the PC. ... as usual, it's a bit unpredictable on Registry edit time of activation. 🙂- last edit:
I forgot to mention EXPLOIT GUARD feature of WinDefend. It needs an outer configuration file. In my Registry-edits you see I used a file "C:\0\Settings.xml" or in "C:\!\Settings.xml"... create an .XML and put this in there: then turn on what you like, false to true.
<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<SystemConfig>
<DEP Enable="false" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="false" HighEntropy="false" />
<SystemCalls DisableWin32kSystemCalls="false" />
<ExtensionPoints DisableExtensionPoints="false" />
<DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" />
<ControlFlowGuard Enable="false" SuppressExports="false" StrictControlFlowGuard="false" />
<SignedBinaries MicrosoftSignedOnly="false" AllowStoreSignedBinaries="false" EnforceModuleDependencySigning="false" />
<Fonts DisableNonSystemFonts="false" AuditOnly="false" />
<ImageLoad BlockRemoteImageLoads="false" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="false" AuditLowLabelImageLoads="false" PreferSystem32="false" AuditPreferSystem32="false" />
<SEHOP Enable="false" TelemetryOnly="false" />
<Heap TerminateOnError="false" />
<UserShadowStack UserShadowStack="false" UserShadowStackStrictMode="false" AuditUserShadowStack="false" />
</SystemConfig>
</MitigationPolicy>
