Windows 10/11: Microsoft Defender can no longer be disabled

Windows[German]I'm going to address an old issue that might affect administrators who are migrating clients to Windows 11. In some scenarios, applications run very slowly or the system or applications start sluggishly. The clients are underperforming, even if the application was sufficient for Windows 10. One reason could be that the applications or their network connections are slowed down by Microsoft Defender. In the meantime, however, it is the case that Microsoft Defender cannot be disabled under Windows 11 (now also under Windows 10) via policies or a registry entry. Only when using third-party antivirus solutions can Microsoft Defender be deactivated and put into passive mode.


Advertising


It is an old topic, that I've addressed in August 2022 within my blog post Microsoft Defender can no longer be disabled under Windows 10. Microsoft has removed the ability for administrators to disable the Defender included in Windows 10 and above. This is intended to make it more difficult for malware to turn off the virus protection. At the same time, the registry entries and group policies concerned are rendered ineffective. But this may causes headache from time to time, as the following case shows.

Windows 11 and sluggish software

German Blog reader Alexander Fuchs had already pointed me to the topic in an email in mid-August 2023, which is slowly being discussed at administrator.de in a lengthy thread Netzwerkperfomance und div. Anwendungen langsam (thanks for that, I'm only now getting around to picking up the topic).

The facts: an administrator started to migrate some Dell machines as Windows clients from Windows 10 to Windows 11 21H2/22H2 and roll them out in the corporate environment. The systems are as follows:

2022: DELL Vostro mit i3-12100 / 8GB RAM DDR4-3200 / 256GB NVMe SSDs (WD SN740 & Kioxia) / Realtek NICs (RTL8111HSD)
2022: DELL Vostro mit i5-12400 / 16GB RAM DDR4-3200 / 512GB NVMe SSD (Micro 2210S) / Realtek NIC (RTL8111HSD)
2023: DELL Optiplex mit i3-13100 / 8GB RAM DDR4-3200 / 256GB NVMe SSDs (Samsung PM9B1) / Intel i219-LM NICs
2023: Terra BTO mit i3-12100 / 8GB RAM / 250GB NVMe SSDs / Intel i219-V NICs

No high-performance computers, but the clients should actually be sufficient for office use – especially since these clients were doing their job with Windows 10 21H2 / 22H2. However, the administrator had to make the experience that users reported that the new Windows 11 clients with a frequently used application (financial software on a Progress database) ran very sluggishly.

Windows 11: Defender can no longer be disabled

The first guess was that it had to do with the network connections and the optimization of the TCP/IP stack. I had reported on this topic in the blog post Microsoft's TCP mess, how to optimize in Windows 10/11. And the second guess was that phishing protection in Windows 11 was the culprit (see Windows 11 network traffic generates twice as much CPU load as Windows 10).


Advertising

The discussion thread Netzwerkperfomance und div. Anwendungen langsam at administrator.de revolves around this topic for a very long time and attempts to find out the cause of the observed system brakes for the applications. In the end the suspicion arose that the antivirus solution was the cause and it was said:

Apparently our AV still disables something on the machines in Windows Security that the GPO for Defender does not. This could also explain why the second computer in my office became fast after disabling the phishing protection without further intervention, but with our AV.

That was that, what I mentioned in 2020 in my blog post Microsoft Defender can no longer be disabled under Windows 10 which is also valid for Windows 11.

Alexander then named another problem in this post. The Group Policies (GPOs) to disable Microsoft Defender no longer work in Windows 11 because Microsoft made the corresponding registry entry of this GPO non-functional. The whole thing is described by Microsoft in the support post DisableAntiSpyware as of Sept 7, 2023.

  • Microsoft states that the DisableAntiSpyware registry entry, which specifies whether to disable Microsoft Defender Antivirus, was intended for OEMs and IT professionals only.
  • The value was then downgraded to the legacy setting, which was no longer necessary, it said, because Microsoft Defender Antivirus automatically turns off when another antivirus program is detected on the device. Since the GPO was not intended for consumer devices, Microsoft decided to remove this registry key.

In the meantime, the DisableAntiSpyware registry setting (and disabling Microsoft Defender Antivirus) will be ignored on client/server endpoints for devices integrated with Microsoft Defender for Endpoint. This is to improve the security status of customers and ensure parity between Microsoft's offerings (SKUs).

This change is included in Microsoft Defender Antimalware Platform version 4.18.2108.4 and later (see KB405623) and this setting is additionally protected by tamper protection. Tamper protection is available in all editions of Windows 10, version 1903 and above, and is enabled by default for consumers as well as new enterprise customers. Alexander concludes that Microsoft Defender can no longer be disabled on systems with, for example, Microsoft Office 365 E3/E5 installed (where Microsoft Defender for Endpoint is integrated).

Customers who then run into problems with applications caused by Microsoft Defender then only have the option of installing a third-party antivirus scanner – in the hope that Defender will be disabled (and put into passive mode) and the third-party antivirus scanner will no longer slow down the applications. However, the whole thing becomes a problem when Windows does not cleanly recognize the installed third-party antivirus solution. Then Defender and the third-party antivirus scanner run in parallel and slow each other down.

Remove Defender

Administrators running into problems above might try removing Microsoft Defender on clients (or servers). There is a forum post on administrator.de that confirms the above observations. There it refers to the Defender Remover/Disabler, a GitHub project that can be used to remove the Microsoft AV solution from Windows.

This tool removes/disables Microsoft Defender, including Windows Security App, in Windows. Furthermore, it removes Windows Virtualization-Based Security (VBS), Windows SmartScreen, Windows Security Services, Windows Web-Threat Service, Windows File Virtualization (UAC), Microsoft Defender App Guard, Microsoft Driver Block List, System Mitigations and Windows Defender page in Settings App on Windows 10 or later. But each cumulative update will ship the defender again to Windows.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *