4

I work with many test PCs, so I want to automate the procedure for installing OS and setting up.

  • Disabling anti-virus is one of the set-up steps via the below, with it working well for a while, but now doesn't work, showing error Access Denied: 
    Reg Add "HKLM\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

I found that "Tamper Protection" blocks attempts to modify registry keys for Windows Defender; I know how to turn it off using GUI, but for automating, I'd like to do this via CLI.

  • I tried to modify the registry key for "Tamper Protection" via regedit, but it seems it blocks the attempt to modify itself

Is there any way to turn off "Tamper Protection" using command line?

JW0914
  • 7,052
  • 7
  • 27
  • 48
Taewoong.Kim
  • 41
  • 1
  • 2
  • 1
    The permissions on those registry keys need to be changed before they can be modified, you need to take ownership of the key and all sub keys. – Moab Feb 28 '20 at 11:40
  • 2
    Given you are doing all this for fresh windows installations, have a look at NT Lite, to slipstream your windows. You can basically bake in all the changes into a fresh OS install. All you do is install using your custom USB stick and no further changes are necessary anymore. Once in a while, you have to update your USB stick, but that is easily done. – LPChip Feb 28 '20 at 12:32
  • Another option to @LPChip's great suggestion is [MDT](https://docs.microsoft.com/en-us/sccm/mdt/) (**M**icrosoft **D**eployment **T**oolkit), with more details in [this](https://superuser.com/a/1480619/529800) answer. – JW0914 Jun 12 '20 at 11:35

2 Answers2

0

As mentioned in the comments, you need permission to change some registry keys. NTLite was also mentioned - a great program.

I use SetACL tool to do it programatically. Changing permissions for a registry key with SetACL:

SetACL.exe -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\YourService" -ot reg -actn setowner -ownr "n:Administrators"
GChuf
  • 1,151
  • 9
  • 21
0

TL;DR you can't.

Even if you take permission of the key and revoke permissions to all other accounts/groups, the key is still protected and unable to be changed. MS's official answer is to either use Intune for your organization or do it manually.

Anon
  • 1