Powershell Set-MpPreference -DisableRealtimeMonitoring $true not working correctly

powershell security cmd windows-defender
Zach Generic Name picture Zach Generic Name · Feb 24, 2018 · Viewed 19.7k times · Source

I must warn you I don't use powershell much. I am trying to turn off windows defender real time protection via powershell I found the command Set-MpPreference -DisableRealtimeMonitoring $true and tried it in admin privileges only to get this

Set-MpPreference : Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. Target: DisableRealtimeMonitoring. At line:1 char:1
+ Set-MpPreference -DisableRealtimeMonitoring $true
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft...FT_MpPreference)
[Set-MpPreference], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

Any thoughts?

Answer

mklement0 picture mklement0 · Feb 25, 2018

The problem is that the Windows Defender antivirus services seem to be persistently disabled on your machine.

It's unfortunate that the Set-MpPreference cmdlet reports this in such an obscure fashion.

To fix this problem, re-enable the Windows Defender antivirus services:

The easiest way to do this is the following, but note that it involves a reboot:

Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 0
Restart-Computer

  • You may instead use the Local Group Policy Editor-based method described in this windowscentral.com article or use regedit.exe's GUI or us the reg.exe CLI utility.

    • Note that the linked instructions are slightly outdated - instead of node Windows Defender, setting Turn off Windows Defender, target node Windows Defender Antivirus, setting Turn off Windows Defender Antivirus).

    • While using the Local Group Policy Editor (gpedit.msc) to turn the antivirus services off takes effect immediately, turning them back on can take minutes before the services are actually restarted (on the plus side, no reboot is required, unlike what the linked instructions say).

  • Note that if you reenable via the registry, such as via the above PowerShell command whereas disabling was originally performed via [local] group policy, that policy will continue to reflect the disabling (however, it is the registry setting that matters).

Related questions

Send mail via Gmail with PowerShell V2's Send-MailMessage

I'm trying to figure out how to use PowerShell V2's Send-MailMessage with Gmail. Here's what I have so far. $ss = New-Object Security.SecureString foreach ($ch in "password".ToCharArray()) { $ss.AppendChar($ch) } $cred = New-Object Management.Automation.PSCredential "[email protected]", $…

Read More
Add group "Everyone" to directory and all of it's sub-directories

I'm currently using Vista 32-bit. How do I add the Windows security group "Everyone" and give full control to a directory and all of it's sub-directories and all files? Is there a powershell script that I could use? Thanks!

Read More
Setting GPO security filter with powershell Set-GPPermissions cmdlet

According to Microsoft the cmdlet Set-GPPermissions accepts the option "-replace": "This ensures that the existing permission level is replaced by the new permission level." I import a GPO from PowerShell. After that I want to set the security filters. After …

Read More