Windows Defender cannot be disabled (Win10 1909): PermissionDenied

[cooky-cook]

Hi,

I've tried to use the latest version of your script on a clean install of Windows 1909. Almost everything works, but when I try to disable Windows Defender (Cloud), the following errors come up.

Here are the relevant errors:

Disabling Windows Defender...
Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\Users\anon\Desktop\Win10-Initial-Setup-Script\Win10.psm1:660
char:2
+     Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (DisableAntiSpyware:String) [Set-ItemProperty], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Disabling Windows Defender Cloud...
Set-ItemProperty : Attempted to perform an unauthorized operation.
At C:\Users\anon\Desktop\Win10-Initial-Setup-Script\Win10.psm1:687
char:2
+     Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (SpynetReporting:String) [Set-ItemProperty], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

[twoatechguy]

It sounds like 1909 may have Defender Tamper Protection turned on as default, it wasn't previously. More info is at #238 too.

[cooky-cook]

Disabling Tamper Protection in Virus & Threat Protection > Virus & Threat Protection Settings has helped. Now Windows Defender can be disabled using the script.

The question is if this can be automated.

[Disassembler0]

This is strange. I can't reporoduce the problem, but at the same time, I can't figure out what may have caused it.

Today I've installed clean 1909 Pro (build 18363.476) and the tamper protection was disabled by default, with the yellow exclamation mark warning, same as on 1903. This alone is a bit weird, as the Tamper Protection note says that it's supposed to be enabled by default. Nevertheless, I have enabled it manually, rebooted and tried to apply DisableDefender and DisableDefenderCloud. To my surprise, both tweaks with all GPO registry keys got applied without any errors. The Tamper Protection note also mentions that when the protection is active, DisableAntiSpyware group policy key is ignored, which is indeed what I have observed (So effectively DisableDefender disabled just the tray icon). However the 2 GPO keys from DisableDefenderCloud still got applied correctly and have observable effect in the Defender UI.

So I though that maybe OP simply run that tweak without admin privileges, but that doesn't seem to be the case either, as none of the possible outcomes would result in UnauthorizedAccessException with the message Attempted to perform an unauthorized operation.

@cooky-cook: Could you please provide more info about your setup? Namely build number, edition, licensing type etc. Alternatively, it you have recently applied updates and are now on build 18363.476, could you please try to apply the DisableDefenderCloud again? It's possible that there was some bug preventing application of those registry values which got fixed recently.