Picture this scenario: You log into your computer on any random Thursday, and Windows Defender won’t start. You manually kick it off, and you get the message “Windows Defender is turned off by group policy.”
Could it be that you’re hacked?
Get the Free PowerShell and Active Directory Essentials Video Course
Attackers know Windows Defender can detect cyberattacks, so as part of their standard playbook they attempt to disable Defender. Sometimes they could use group policy to disable Windows Defender on multiple machines – depending on their level of access – so they can move more easily between several computers on your network. Sometimes they will use a local group policy to disable Defender. There are other methods attackers use to disable Defender, but the group policy method makes it more difficult for the user to re-enable it.
5 Solutions for Windows Defender Turned Off by Group Policy
If you experience or one of your user’s reports this kind of error, you have several options to re-enable Defender. As a security practitioner, you might want to check several of these settings and a few other items (i.e., malware, AD event logs, ) for evidence of tampering.
Solution 1: Using Group Policy
- Open Group Policy editor
- Select Local Computer Policy -> Administrative Templates -> Windows Components
- Select Windows Defender and in the right panel and double click the setting “Turn off Windows Defender”
- “Turn off Windows Defender” should be set to Enable if you can’t run Windows Defender. You want to disable this option. You will need local administrative rights to make this change
You should be able to run Windows Defender after you update this GPO.
Solution 2: User Settings
Another option to re-enable Windows Defender is in the Control Panel Settings.
- Click the Start button and type Windows Defender, and double click the icon for Windows Defender Security Center – this might be slightly different depending on your version of Windows.
- Click Settings, you are looking for a button labeled “Real Time Protection.” Make sure it is on.
Solution 3: Using the Command Line
Another solution is to run the following command from PowerShell – make sure to Run As Administrator.
Set-MpPreference -DisableRealtimeMonitoring 0
Solution 4: Using the Registry Editor
Editing the Registry is another possible fix for this issue.
- Run ‘regedit’
- Navigate through the tree to
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender. - Delete DisableAntiSpyware in the right pane.
- Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection. - Delete DisableRealtimeMonitoring in the right pane.
People report that sometimes the first one works, sometimes the second, sometimes both. Best to delete both to be sure.
Solution 5: Reviewing Conflicting Programs
It is possible that attackers turned off Windows Defender by some other means and not from direct tampering with computer settings. You may have to investigate further to get everything back up and running.
Check for Malware
Malware can turn off Defender and keep it off despite your best efforts to re-enable it. If you aren’t able to turn Defender back on you might be infected. Install and run another malware detector of your choice and see if you can find and remove the infection.
Another option is to do what Varonis ITSec does and reinstall the OS.
Check Third-Party Antivirus Tools
If none of the other solutions work, make sure if you have another anti-virus application installed that it works with Windows Defender. Some anti-virus programs don’t. Some EDR solutions do.
Windows Defender is a good line of defense in a layered security strategy, but it is relatively easy for attackers to work-around. Just as easily as you can turn it on, they can turn it back off.
Varonis provides monitoring, perimeter telemetry, and advanced data security analytics for detecting intrusions and attackers even when they attempt to hide by turning off Windows Defender. Varonis monitors changes to GPOs and will throw an alert anytime someone changes a GPO. Varonis also detects attackers that connect from new network connections in strange geolocations and attempt to steal or escalate privileges.
Want to see how Varonis protects you from attack? Sign up for a free Live Cyber Attack Workshop right now!
