Open Disassembler0 opened 5 years ago
Perhaps the TamperProtection
key in HKLM\SOFTWARE\Microsoft\Windows Defender\Features
might be something that is only honored during the initial install of the OS, similar to the ShippedWithReserves
key for the Reserved Storage feature?
1903 added Tamper protection feature into Windows Defender. This basically blocks all attempts to modify defender-related registry, unless you're doing it as TrustedInstaller user.
By default, the protection seems to be disabled, but nags with a warning. Scope of this issue is either:
or
Set-MpPreference
cmdlet or directly as TrustedInstaller (this theoretically should not be possible, but where there's a will, there's a way)There is related setting under
HKLM:\SOFTWARE\Microsoft\Windows Defender\Features
but manually dismissing the warning doesn't seem to change anything anywhere in registry, so there may be something else in SQLite databases underC:\ProgramData\Microsoft\Windows Defender
.