Windows Defender : Some Settings are Managed by your Organization [Fix]

After a malware attack, Windows Defender Settings interface may show the message Some settings are managed by your organization. Also, the real-time protection and cloud-based protection options may remain disabled.

Here is how the Windows Defender Settings page might look like. The controls for real-time protection, cloud-based protection and Automatic sample submission options may be disabled and locked down or grayed out.

windows defender some settings are managed by your organisation
Windows Defender Settings are grayed out
windows defender disabled
Windows Defender real-time protection disabled

If you’ve installed a 3rd party anti-virus, Windows Defender gets disabled automatically. It’s normal. This post tells you how to activate Windows Defender real-time protection and other settings, by removing the entire Windows Defender registry-based policies, which were previously added by malware, or added when you used a 3rd party tweaker, or privacy protection tool.

Caused by a third-party privacy protection tool?

If you had used (or using) anti-spy tools such as O&O ShutUp10, make sure you reset all “Windows Defender and Microsoft SpyNet” settings in O&O ShutUp10. Here is how it should look after resetting them.

O&O ShutUp10 Defender Settings

Caused by malware?

First, make sure you eliminate malware completely with help from expert or friend — given the complexity of the malware infestation, professional help may be suggested. You may also try Windows Defender Offline, additionally.

Malware removal procedure is complex, and is beyond the scope of this article. After removing the malware completely, remove the registry-based policy settings for Windows Defender which were added by malware.

Remove Windows Defender Policies using the Registry Editor

Note: This procedure doesn’t apply or work if your system is connected to a domain, where central group policies apply. This article is for standalone systems where a virus or malware has completely disabled Windows Defender and locked down the settings.

Automate the following registry modifications using defender-policies-remove.reg (zipped). Unzip and run the enclosed REG file.

After running it, you may want to open the Registry Editor to make sure the “Windows Defender” Policies key doesn’t exist. Once done, restart Windows for the changes to take effect.

1. Start the Registry Editor (regedit.exe) and go to the following branch:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

2. Export the branch to a REG file. Then, right-click the “Windows Defender” key and choose Delete.

windows defender registry / policy settings
Windows Defender Policy keys in the registry.

3. Similarly, backup and delete the following branch:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

4. Exit the Registry Editor.

5. Restart Windows.

Note that this completely clears the policy settings for Windows Defender. By default, in a clean installation of Windows, no policies are set. Windows Defender Settings page will now look like this.

windows defender disabled

Important: After removing all the policies, you may want to enable PUA or adware protection in Windows Defender. If you had already enabled the setting before, you’d need to re-do the procedure now.

Remove Windows Defender Policies using Group Policy Editor

If you’re using Windows 10 Professional or higher editions, the relevant Windows Defender Group Policies are available in the following branch of the Group Policy Editor (gpedit.msc)

Computer Configuration > Administrative Templates > Windows Components > Windows Defender
windows defender policy settings
Windows Defender Group Policy Settings

There are atleast 95 policy settings, with the items in every sub-branch put together. You need to set each setting to “Not configured”.

Allow antimalware service to startup with normal priority
Turn off Windows Defender
Configure local administrator merge behavior for lists
Turn off routine remediation
Define addresses to bypass proxy server
Define proxy auto-config (.pac) for connecting to the network
Define proxy server for connecting to the network
Randomize scheduled task times
Allow antimalware service to remain running always

Also, check the following sub-branches in the above location, and set each Policy setting to “Not configured”.

Windows Defender\Client Interface

Display additional text to clients when they need to perform an action
Suppress all notifications
Suppresses reboot notifications
Enable headless UI mode

Windows Defender\Exclusions

Turn off Auto Exclusions
Extension Exclusions
Path Exclusions
Process Exclusions

Windows Defender\MAPS

Configure the 'Block at First Sight' feature
Join Microsoft MAPS
Configure local setting override for reporting to Microsoft MAPS
Send file samples when further analysis is required

Windows Defender\Network Inspection System

Turn on definition retirement
Specify additional definition sets for network traffic inspection
Turn on protocol recognition

Windows Defender\Quarantine

Configure local setting override for the removal of items from Quarantine folder
Configure removal of items from Quarantine folder

Windows Defender\Real-time Protection

Turn off real-time protection
Turn on behavior monitoring
Scan all downloaded files and attachments
Monitor file and program activity on your computer
Turn on raw volume write notifications
Turn on process scanning whenever real-time protection is enabled
Define the maximum size of downloaded files and attachments to be scanned
Configure local setting override for turn on behavior monitoring
Configure local setting override for scanning all downloaded files and attachments
Configure local setting override for monitoring file and program activity on your computer
Configure local setting override to turn on real-time protection
Configure local setting override for monitoring for incoming and outgoing file activity
Configure monitoring for incoming and outgoing file and program activity

Windows Defender\Remediation

Configure local setting override for the time of day to run a scheduled full scan to complete remediation
Specify the day of the week to run a scheduled full scan to complete remediation
Specify the time of day to run a scheduled full scan to complete remediation

Windows Defender\Reporting

Configure time out for detections requiring additional action
Configure time out for detections in critically failed state
Configure Watson events
Configure time out for detections in non-critical failed state
Configure time out for detections in recently remediated state
Configure Windows software trace preprocessor components
Configure WPP tracing level

Windows Defender\Scan

Check for the latest virus and spyware definitions before running a scheduled scan
Allow users to pause scan
Specify the maximum depth to scan archive files
Specify the maximum size of archive files to be scanned
Specify the maximum percentage of CPU utilization during a scan
Scan archive files
Turn on catch-up full scan
Turn on catch-up quick scan
Turn on e-mail scanning
Turn on heuristics
Scan packed executables
Scan removable drives
Turn on reparse point scanning
Create a system restore point
Run full scan on mapped network drives
Scan network files
Configure local setting override for maximum percentage of CPU utilization
Configure local setting override for the scan type to use for a scheduled scan
Configure local setting override for schedule scan day
Configure local setting override for scheduled quick scan time
Configure local setting override for scheduled scan time
Define the number of days after which a catch-up scan is forced
Turn on removal of items from scan history folder
Specify the interval to run quick scans per day
Start the scheduled scan only when computer is on but not in use
Specify the scan type to use for a scheduled scan
Specify the day of the week to run a scheduled scan
Specify the time for a daily quick scan
Specify the time of day to run a scheduled scan

Windows Defender\Signature Updates

Define the number of days before spyware definitions are considered out of date
Define the number of days before virus definitions are considered out of date
Define file shares for downloading definition updates
Turn on scan after signature update
Allow definition updates when running on battery power
Initiate definition update on startup
Define the order of sources for downloading definition updates
Allow definition updates from Microsoft Update
Allow real-time definition updates based on reports to Microsoft MAPS
Specify the day of the week to check for definition updates
Specify the time to check for definition updates
Allow notifications to disable definitions based reports to Microsoft MAPS
Define the number of days after which a catch-up definition update is required
Specify the interval to check for definition updates
Check for the latest virus and spyware definitions on startup

Windows Defender\Threats

Specify threats upon which default action should not be taken when detected
Specify threat alert levels at which default action should not be taken when detected

If some of them already read as “Not configured”, “Enable” the setting, click Apply and set it back to “Note configured”. This is to clear the registry values correctly.

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and has a vast experience in the ITeS industry — delivering support for Microsoft's consumer products. He has been a Microsoft MVP [2003 to 2012] who contributes to various Windows support forums.

7 thoughts on “Windows Defender : Some Settings are Managed by your Organization [Fix]

Leave a Comment

+1
Share
Tweet
Share
Pin