Windows 11: Windows Defender & Smartscreen re-activate after reboot
Xaymar opened this issue · 4 comments
See title for the problem. All the changes are reverted upon reboot, and all Group Policy changes made to Windows Defender are also reverted. Seems like Microsoft hates this one weird trick to get 50% of our CPU back and +200% battery lifetime...
This might be due to changes from windows updates, will have a look in from my w11 machine when I get the chance to. Thanks for letting me know
For now I just excluded all my drives entirely from any scanning, which works for now. Not as good as no Windows Defender, but better than nothing.
✅ Still present
❌ Gone
- ❌
SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = 0 - ❌
SYSTEM\CurrentControlSet\Services\wscsvc\Start = 4 - ❌
SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1 - ❌
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\SecurityHealth = 3b - ✅
SYSTEM\CurrentControlSet\Services\WinDefend\Start = 3 - ✅
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = 1
Unsure how to check WMIC related changes. Seems like a TamperProtection of 0 is invalid on Windows 11, so it resets things related to it.
Edit: Found a way to make it stick after reboot/hibernate:
- Manually set TamperProtection to 0 using AdvancedRun from Nirsoft while MsMpEng is suspended.
- Reboot.
- Run this tool with the same AdvancedRun from Nirsoft.
- Reboot.
- Success-ish. Software that for no reason hooks into the Microsoft Defender engine, like Firefox, will still encounter a stutter.
Seems like Microsoft is finally done moving things around for now. The tool works again as expected, but there's now a 2nd on-access check for applications, which defaults to on. Turning it off as well appears to prevent this from occuring entirely.