Restoring Default Windows Defender group policy settings

The RocketCyber Windows Defender Manager application provides the capability to manage and update various group policy settings that influence the functionality of Windows Defender. This article details the procedure for manually resetting the Windows Defender group policy settings to their default state. For those interested in accomplishing this task using a PowerShell script, please contact our support team, and they will be happy to assist you.

Before you begin

  1. Sign in as a local administrator. Ensure that you are logged in with administrative privileges, as these are necessary for deleting policy files and modifying the registry.

  2. Create a system restore point (recommended):

    1. Press Win+R to open the Run dialog.

    2. Type SystemPropertiesProtection and select Create… to initiate the process.

  3. Back up the registry (targeted exports):

    1. It is advisable to export only the specific registry keys that you will be modifying throughout this process (further instructions will follow). This approach is safer than performing a complete export of the registry.

IMPORTANT  Please be aware that editing the registry can significantly impact system functionality. Follow the outlined steps diligently. If you encounter a key or value that does not exist on your system, simply omit it from the procedure..

Summary of actions to be executed

1. Eliminate the local Group Policy data files (Registry.pol) to prevent the recurrence of outdated policies.

2. Remove specific values and items associated with Microsoft Defender from the registry.

3. Refresh the Group Policy and subsequently restart the system.

4. Confirm that Microsoft Defender has reverted to its designated default settings.

Step 1: Delete local Group Policy Registry.pol files

These files are responsible for storing local Group Policy settings. As a precautionary measure, we will create backups by renaming them to the .bak extension and subsequently removing the original files.

Relevant paths to examine (some may not be present on your PC):

  • C:\Windows\System32\GroupPolicy\Machine\Registry.pol

  • C:\Windows\System32\GroupPolicy\User\Registry.pol

  • C:\Windows\System32\GroupPolicyUsers\DefaultUser\Machine\Registry.pol

  • C:\Windows\System32\GroupPolicyUsers\DefaultUser\User\Registry.pol

Procedure

1. Launch File Explorer and input each folder path into the address bar.

2. If the Registry.pol file is present:

  1. Right-click on the file, select Copy, and paste it as a backup in a designated location, or alternatively, rename it to Registry.pol.bak.

  2. Proceed to delete the original Registry.pol file.

3. Repeat this process for each existing path.

NOTE  Should you not find the GroupPolicyUsers folder, this is a normal occurrence; please disregard those entries.

Step 2: Remove specific Defender policy values (Registry Editor)

In this step, the objective is to remove designated values from specific policy paths within the Windows Registry, provided that these values exist. If a particular value is absent, please proceed to the next item.

  1. Accessing the Registry Editor: Initiate the process by pressing Win + R, then entering regedit, and pressing Enter. Approve any prompts from the User Account Control (UAC).

  2. Backing up registry keys: For each item outlined below, prior to deletion, right-click on the parent key and select Export… to create a .reg backup file. It is advisable to name the file something akin to DefenderPolicy_Backup.reg.

  3. Executing value deletions: Navigate to the specified path below and delete the corresponding value located in the right pane. It is important to delete only the value, not the entire key:

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

      • Value name: PUAProtection

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

      • Value name: ServiceStartStates

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine

      • Value name: mpCloudBlockLevel

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Quarantine

      • Value name: PurgeItemsAfterDelay

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting

      • Value name: DisableEnhancedNotifications

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan

      • Value names: AvgCPULoadFactor, CheckForSignaturesBeforeRunningScan, ScanParameters, ScheduleDay

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates

      • Value name: SignatureUpdateInterval

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet

      • Value names: SubmitSamplesConsent, SpyNetReporting

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration

      • Value names: Notification_Suppress, UILockdown

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

      • Value name: ServiceStartStates (note that this value may appear in multiple locations; if it is present in this location, please remove it as well).

4. Procedure for deleting a value: To delete a value, navigate to the specified path, locate the value name in the right pane, right-click on it, select Delete, and confirm the action by selecting Yes.

If any of the subkeys, such as MpEngine, Reporting, or Scan, are not present, you may proceed directly to the next item in the list.

Step 3: Remove specific Defender items (subkeys/entries)

The following script is designed to eliminate specific entries entirely, which are typically subkeys. The item should be deleted if it is present. The items to be removed include the following (which are generally subkeys or entries within a key):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes\%ProgramFiles%\RocketAgent\rocketagent-x64.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes\%ProgramFiles%\RocketAgent\rocketagent.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\4

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\5

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\2

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\0

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\1

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions\%ProgramFiles%\RocketAgent\rocketagent-x64.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions\%ProgramFiles%\RocketAgent\rocketagent.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_7

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_9

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48

Instructions for execution

In the Registry Editor, navigate to the parent path. If the final segment (for example, the GUID or _7) appears as a subkey, right-click on the subkey and select Delete. Conversely, if it appears as a value in the right pane, right-click on the value and select Delete.

Please note that certain paths utilize environment variables (such as %ProgramFiles%). In the Registry Editor, these may be stored literally, including the percentage symbols; therefore, it is essential to delete the exact matching entry as observed.

Step 4: Refresh Group Policy

1. Access the Start menu, type cmd, then right-click on Command Prompt and select the option to Run as administrator.

2. Enter the following command: gpupdate /force

3. Upon completion of the process, please restart your computer.

Step 5: Verify Defender is back to normal

Graphical User Interface (GUI) checks (Windows Security Application):

  1. Launch the Windows Security application and navigate to the section labeled Virus & threat protection.

2. Confirm that the settings are adjustable and not greyed out.

3. Review the following components:

  • Protection Updates

  • Exclusions (ensure that there are no entries related to RocketAgent paths)

  • Attack surface reduction (if applicable)

Optional PowerShell checks (read-only)

1. Execute PowerShell with administrative privileges.

2. Input the following commands: Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess - Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionOnlyExclusions - Get-MpPreference | fl *Reporting*,*PUA*,*Cpu*,*Schedule*,*Submit*,*Signature*

Upon completion of these steps, there should be no unwanted exclusions, and one should observe default settings that align with policy controls.

Troubleshooting and notes

Appendix — Full reference list

Local Group Policy files to remove

  • C:\Windows\System32\GroupPolicy\Machine\Registry.pol

  • C:\Windows\System32\GroupPolicy\User\Registry.pol

  • C:\Windows\System32\GroupPolicyUsers\DefaultUser\Machine\Registry.pol

  • C:\Windows\System32\GroupPolicyUsers\DefaultUser\User\Registry.pol

Registry values to delete

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender : PUAProtection

  • HKLM\SOFTWARE\Microsoft\Windows Defender : ServiceStartStates

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine : mpCloudBlockLevel

  • HKLM\SOFTWARE\Microsoft\Windows Defender\Quarantine : PurgeItemsAfterDelay

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting : DisableEnhancedNotifications

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan : AvgCPULoadFactor

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan : CheckForSignaturesBeforeRunningScan

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan : ScanParameters

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan : ScheduleDay

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates : SignatureUpdateInterval

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet : SubmitSamplesConsent

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet : SpyNetReporting

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration : Notification_Suppress

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration : UILockdown

  • HKLM\SOFTWARE\Microsoft\Windows Defender : ServiceStartStates

Registry items/subkeys to delete

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes\%ProgramFiles%\RocketAgent\rocketagent-x64.exe

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes\%ProgramFiles%\RocketAgent\rocketagent.exe

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\4

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\5

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\2

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\0

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\1

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions\%ProgramFiles%\RocketAgent\rocketagent-x64.exe

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions\%ProgramFiles%\RocketAgent\rocketagent.exe

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

  • HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_7

  • HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_9

  • HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48

Optional: quick read‑only validation commands