Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Windows Defender Turned Off by Group Policy [Solved]

2 min read
Published June 17, 2020
Last updated February 24, 2022

Picture this scenario: You log into your computer on any random Thursday, and Windows Defender won’t start. You manually kick it off, and you get the message “Windows Defender is turned off by group policy.”

Could it be that you’re hacked?

Get the Free PowerShell and Active Directory Essentials Video Course

Attackers know Windows Defender can detect cyberattacks, so as part of their standard playbook they attempt to disable Defender. Sometimes they could use group policy to disable Windows Defender on multiple machines – depending on their level of access – so they can move more easily between several computers on your network. Sometimes they will use a local group policy to disable Defender. There are other methods attackers use to disable Defender, but the group policy method makes it more difficult for the user to re-enable it.

5 Solutions for Windows Defender Turned Off by Group Policy

If you experience or one of your user’s reports this kind of error, you have several options to re-enable Defender. As a security practitioner, you might want to check several of these settings and a few other items (i.e., malware, AD event logs, ) for evidence of tampering.

Solution 1: Using Group Policy

  1. Open Group Policy editor
  2. Select Local Computer Policy -> Administrative Templates -> Windows Components
    local group policy editor screenshot
  3. Select Windows Defender and in the right panel and double click the setting “Turn off Windows Defender”
    local group policy editor illustrated screenshot
  4. “Turn off Windows Defender” should be set to Enable if you can’t run Windows Defender. You want to disable this option. You will need local administrative rights to make this change
    turn off windows defender screenshot

You should be able to run Windows Defender after you update this GPO.

Solution 2: User Settings

Another option to re-enable Windows Defender is in the Control Panel Settings.

  1. Click the Start button and type Windows Defender, and double click the icon for Windows Defender Security Center – this might be slightly different depending on your version of Windows.
  2. Click Settings, you are looking for a button labeled “Real Time Protection.” Make sure it is on.
    user settings screenshot

Solution 3: Using the Command Line

Another solution is to run the following command from PowerShell – make sure to Run As Administrator.

Set-MpPreference -DisableRealtimeMonitoring 0

Solution 4: Using the Registry Editor

Editing the Registry is another possible fix for this issue.

  1. Run ‘regedit’
  2. Navigate through the tree to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender.
  3. Delete DisableAntiSpyware in the right pane.
  4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection.
  5. Delete DisableRealtimeMonitoring in the right pane.

People report that sometimes the first one works, sometimes the second, sometimes both. Best to delete both to be sure.

Solution 5: Reviewing Conflicting Programs

It is possible that attackers turned off Windows Defender by some other means and not from direct tampering with computer settings. You may have to investigate further to get everything back up and running.

Check for Malware

Malware can turn off Defender and keep it off despite your best efforts to re-enable it. If you aren’t able to turn Defender back on you might be infected. Install and run another malware detector of your choice and see if you can find and remove the infection.

Another option is to do what Varonis ITSec does and reinstall the OS.

Check Third-Party Antivirus Tools

If none of the other solutions work, make sure if you have another anti-virus application installed that it works with Windows Defender. Some anti-virus programs don’t. Some EDR solutions do.

Windows Defender is a good line of defense in a layered security strategy, but it is relatively easy for attackers to work-around. Just as easily as you can turn it on, they can turn it back off.

solutions for windows defender turned off by group policy

Varonis provides monitoring, perimeter telemetry, and advanced data security analytics for detecting intrusions and attackers even when they attempt to hide by turning off Windows Defender. Varonis monitors changes to GPOs and will throw an alert anytime someone changes a GPO. Varonis also detects attackers that connect from new network connections in strange geolocations and attempt to steal or escalate privileges.

Want to see how Varonis protects you from attack? Sign up for a free Live Cyber Attack Workshop right now!

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
speed-data: why-cybersecurity-is-an-unceasing-progression-with-siwar-el-assad
Speed Data: Why Cybersecurity is an Unceasing Progression With Siwar El Assad
Siwar El Assad chats about the impact of cybersecurity on modern society, the reality of breaches, and how a chance encounter led Siwar to the industry.
DSPM Deep Dive: Debunking Data Security Myths
DSPM is the leading acronym in cybersecurity. However, the recent buzz has cluttered the meaning of data security posture management. Let's demystify it.
Speed Data: Rethinking Traditional Cybersecurity Principles With Rick Howard
Rick Howard, author, journalist, and Senior Fellow at the CyberWire, chats about his new book on rebooting cybersecurity principles with Varonis' Megan Garza.
The Benefits of Threat and Data Breach Reports
Threat and data breach reports can help organizations manage security risks and develop mitigation strategies. Learn our three pillars of effective data protection and the benefits from these reports.