Windows Defender Turned Off by Group Policy [Solved]

Windows Defender is a common AV solution, and attackers know how to work-around it. Learn how to turn Defender back on with this easy tutorial.
Michael Buckbee
2 min read
Last updated February 24, 2022

Picture this scenario: You log into your computer on any random Thursday, and Windows Defender won’t start. You manually kick it off, and you get the message “Windows Defender is turned off by group policy.”

Could it be that you’re hacked?

Get the Free PowerShell and Active Directory Essentials Video Course

Attackers know Windows Defender can detect cyberattacks, so as part of their standard playbook they attempt to disable Defender. Sometimes they could use group policy to disable Windows Defender on multiple machines – depending on their level of access – so they can move more easily between several computers on your network. Sometimes they will use a local group policy to disable Defender. There are other methods attackers use to disable Defender, but the group policy method makes it more difficult for the user to re-enable it.

5 Solutions for Windows Defender Turned Off by Group Policy

If you experience or one of your user’s reports this kind of error, you have several options to re-enable Defender. As a security practitioner, you might want to check several of these settings and a few other items (i.e., malware, AD event logs, ) for evidence of tampering.

Solution 1: Using Group Policy

  1. Open Group Policy editor
  2. Select Local Computer Policy -> Administrative Templates -> Windows Components
    local group policy editor screenshot
  3. Select Windows Defender and in the right panel and double click the setting “Turn off Windows Defender”
    local group policy editor illustrated screenshot
  4. “Turn off Windows Defender” should be set to Enable if you can’t run Windows Defender. You want to disable this option. You will need local administrative rights to make this change
    turn off windows defender screenshot

You should be able to run Windows Defender after you update this GPO.

Solution 2: User Settings

Another option to re-enable Windows Defender is in the Control Panel Settings.

  1. Click the Start button and type Windows Defender, and double click the icon for Windows Defender Security Center – this might be slightly different depending on your version of Windows.
  2. Click Settings, you are looking for a button labeled “Real Time Protection.” Make sure it is on.
    user settings screenshot

Solution 3: Using the Command Line

Another solution is to run the following command from PowerShell – make sure to Run As Administrator.

Set-MpPreference -DisableRealtimeMonitoring 0

Solution 4: Using the Registry Editor

Editing the Registry is another possible fix for this issue.

  1. Run ‘regedit’
  2. Navigate through the tree to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender.
  3. Delete DisableAntiSpyware in the right pane.
  4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection.
  5. Delete DisableRealtimeMonitoring in the right pane.

People report that sometimes the first one works, sometimes the second, sometimes both. Best to delete both to be sure.

Solution 5: Reviewing Conflicting Programs

It is possible that attackers turned off Windows Defender by some other means and not from direct tampering with computer settings. You may have to investigate further to get everything back up and running.

Check for Malware

Malware can turn off Defender and keep it off despite your best efforts to re-enable it. If you aren’t able to turn Defender back on you might be infected. Install and run another malware detector of your choice and see if you can find and remove the infection.

Another option is to do what Varonis ITSec does and reinstall the OS.

Check Third-Party Antivirus Tools

If none of the other solutions work, make sure if you have another anti-virus application installed that it works with Windows Defender. Some anti-virus programs don’t. Some EDR solutions do.

Windows Defender is a good line of defense in a layered security strategy, but it is relatively easy for attackers to work-around. Just as easily as you can turn it on, they can turn it back off.

solutions for windows defender turned off by group policy

Varonis provides monitoring, perimeter telemetry, and advanced data security analytics for detecting intrusions and attackers even when they attempt to hide by turning off Windows Defender. Varonis monitors changes to GPOs and will throw an alert anytime someone changes a GPO. Varonis also detects attackers that connect from new network connections in strange geolocations and attempt to steal or escalate privileges.

Want to see how Varonis protects you from attack? Sign up for a free Live Cyber Attack Workshop right now!

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

detecting-honeypot-access-with-varonis
Detecting Honeypot Access With Varonis
Honeypots are traps that the Blue Team (defenders) plant to catch potentially bad actors trying to exploit a vulnerability, snoop for data, or escalate privileges. Since a honeypot is a decoy,...
how-honeypots-unmask-hackers-&-scammers-online
How Honeypots Unmask Hackers & Scammers Online
How defenders use honeypots to unmask hackers, scammers, and internet catfish with tracking links
sysmon-threat-analysis-guide
Sysmon Threat Analysis Guide
In my various pentesting experiments, I’ll pretend to be a blue team defender and try to work out the attack. If you have good security eyes, you can search for...
hardbit-2.0-ransomware
HardBit 2.0 Ransomware
HardBit is a ransomware threat that targets organizations to extort cryptocurrency payments for the decryption of their data. Seemingly improving upon their initial release, HardBit version 2.0 was introduced toward the end of November 2022, with samples seen throughout the end of 2022 and into 2023.