Powershell Set-MpPreference -DisableRealtimeMonitoring $true not working correctly

Question

I must warn you I don't use powershell much. I am trying to turn off windows defender real time protection via powershell I found the command Set-MpPreference -DisableRealtimeMonitoring $true and tried it in admin privileges only to get this

Set-MpPreference : Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. Target: DisableRealtimeMonitoring. At line:1 char:1
+ Set-MpPreference -DisableRealtimeMonitoring $true
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft...FT_MpPreference)
[Set-MpPreference], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

Any thoughts?

Answer 1

As mentioned in the comment replying to @mklement0's accepted answer, there are various other circumstances under which users might be prevented from making changes to security settings locally. If you are working on a machine with an Enterprise version of Windows 10/11, you may find that none of the solutions you find have any impact ultimately.

One Possible Cause

One such situation is where the machine is managed by Group Policy and configured to ignore any changes made by local administrators^[1]. This includes changes made to the registry, either directly or by way of PowerShell commands. There is a way to "override the override" but note that most such machines are configured to download group policy updates at logon, which would effectively revert the computer (and any changes to the registry) back to a compliant state. So, the 'solution' below is not really a solution and the effect will likely only last until the next Windows restart:

⚠️ WARNING ⚠️

Making such changes to a company-owned machine could result in punitive action, including but not limited to loss of employment! I advise against doing so, unless you own the machine and comprehend the risk to your OS / data of making changes to the registry.

DisableLocalAdminMerge (.reg)

Save the below code block in a text file and change the extension to .reg (to create a registry editor script).

Windows Registry Editor Version 5.00
; Created by: POA
; Created on: February 02, 2024
; 
; ++++++++++++++++++++++++++++++++++++


[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender]
"DisableLocalAdminMerge"="dword:00"

Running the resulting .reg file will change the registry value for the key located at registry path HKLM\Software\Policies\Microsoft\Windows Defender, DisableLocalAdminMerge, to 0 (or create it if it does not already exist). A value of 0 equates to 'False' and, as a result, this will enable Local Admin Merge (Defender will read configuration settings outside of Group Policy in addition to those enumerated by GPO).

---

[1]: Configure Local Policy Overrides for Microsoft Defender Antivirus (Microsoft Learn)

Answer 2

Add-MpPreference: The following error occurred during the operation: 0x800106ba. Operation: MpPreference. Destination: ConfigListExtension.

PS: in my work, use Kaspersky

Answer 3

Before Set-MpPreference -DisableRealtimeMonitoring $true disable intrusion detection system with the below command:

Set-MpPreference -DisableIntrusionPreventionSystem $true

Answer 4

If you get this error:

Add-MpPreference: Operation failed with the following error: 0x%1!x!

check if you're not in an Admin shell. You need to choose Windows PowerShell -> Run as Administrator.

Answer 5

The problem is that the Windows Defender antivirus services seem to be persistently disabled on your machine.

It's unfortunate that the Set-MpPreference cmdlet reports this in such an obscure fashion.

To fix this problem, re-enable the Windows Defender antivirus services:

The easiest way to do this is the following, but note that it involves a reboot:

Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 0
Restart-Computer

• You may instead use the Local Group Policy Editor-based method described in this windowscentral.com article or use regedit.exe's GUI or us the reg.exe CLI utility.

• Note that the linked instructions are slightly outdated - instead of node Windows Defender, setting Turn off Windows Defender, target node Windows Defender Antivirus, setting Turn off Windows Defender Antivirus).

• While using the Local Group Policy Editor (gpedit.msc) to turn the antivirus services off takes effect immediately, turning them back on can take minutes before the services are actually restarted (on the plus side, no reboot is required, unlike what the linked instructions say).

• Note that if you reenable via the registry, such as via the above PowerShell command, while having originally disabled via the [local] group policy, that policy will continue to reflect the disabling in the GUI (however, it is the registry setting that matters).