[German]Microsoft has now disabled the ability for administrators to disable the Defender included in Windows. This is intended to make it more difficult for malware to turn off the virus protection. At the same time, the registry entries and group policies concerned are rendered ineffective.
Advertising
I had already noticed the days when colleagues from German site deskmodder.de reported in this article that the entry DisableAntiSpyware in the settings of Microsoft Defender is no longer effective since August 2020. There I couldn't really catch the sense of it – until I read the article at Bleeping Computer, when I realized that something had changed in Microsoft Defender under Windows 10. Now, blog reader Andreas E. drew my attention to this topic via Facebook (thanks for that):
By the way: The Defender AV can't be deactivated via GPO on Windows 10 clients anymore. Microsoft has rolled this out to all W10 clients in the current patchday!
This means 3rd Party AVs MUST use the APIs provided by MS to register properly. Otherwise it will come to complications!
Andreas posted the link to the Microsoft support article DisableAntiSpyware. The post was updated on 08/21/2020, and contains the following note:
DisableAntiSpyware is intended to be used by OEMs and IT Pros to disable Microsoft Defender Antivirus and deploy another antivirus product during deployment. This is a legacy setting that is no longer necessary as Microsoft Defender antivirus automatically turns itself off when it detects another antivirus program. This setting is not intended for consumer devices, and we've decided to remove this registry key. This change is included with Microsoft Defender Antimalware platform versions 4.18.2007.8 and higher KB 4052623. Enterprise E3 and E5 editions will be released at a future date. Note that this setting is protected by tamper protection. Tamper protection is available in all Home and Pro editions of Windows 10 version 1903 and higher and is enabled by default. The impact of the DisableAntiSpyware removal is limited to Windows 10 versions prior to 1903 using Microsoft Defender Antivirus. This change does not impact third party antivirus connections to the Windows Security app. Those will still work as expected.
The DisableAntiSpyware option was originally intended for OEMs and IT professionals to disable Microsoft Defender Antivirus when other antivirus products were installed on a Windows 10 client. However, the option was never intended for the consumer platforms (Windows 10 Home and Pro). However, Microsoft has now decided that this option in the registry is unnecessary. This is because Defender detects when other antivirus software registers via the designated API and then turns itself off.
Microsoft has therefore removed the evaluation of the registry key for deactivating Defender from Microsoft Defender Antimalware Platform version 4.18.2007.8 and higher via the update KB4052623. The registry key:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender
Advertising
and the DisableAntiSpyware value that may be present there is no longer evaluated. Group policies ('Turn off Microsoft Defender Antivirus') that are to deactivate Defender using this value also no longer have any effect. Since Windows 10 version 1903 it has been possible to prevent the Defender from being switched off by malware by means of Tamper Protection.
Bleeping Computer mentioned here, that Malware can set the value DisableAntiSpyware, but this value will be removed by Tamper Protection. But Defender will still be disabled for the current session.
Similar articles:
Windows 10 V1903 get Windows Defender Tamper-Protection
Tamper Protection ported to older Windows 10 versions
Windows 10 V1903: Microsoft activates Tamper Protection
Advertising
this appears to be a reality when the newest KB4052623 Defender Platform v4.18.2108.7 update (Sept. 2021) is installed