Enter the following series of commands to establish what privileges you have.

cd \
windows\system32

dir

ipconfig

net user /add mal Pa$$w0rd

net localgroup administrators mal /add

reg add �HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server� /v

fDenyTSConnections /t REG_DWORD /d 0 /f

netsh advfirewall firewall set rule group=�Remote Desktop� new enable=yes

Enter the following command to identify the PID of the Windows Defender process:

tasklist /fi "imagename eq msmpeng.exe"

Enter the following command to try to disable Windows Defender, using the PID you
made a note of:

taskkill /pid 2268

ini.vbs

On the PC1 VM, select Start?Windows Administrative Tools?Group Policy Management.

In the navigation pane, browse to Forest: corp.515support.com?Domains?

corp.515support.com?515 Support Domain Policy. If you receive a message telling you
that changes here may have an impact on other locations, select OK.

Right-click 515 Support Domain Policy and select Edit.

In the navigation pane of the Group Policy Management Editor window, expand
Computer Configuration?Policies?Administrative Templates?Windows Components?Windows
Defender Antivirus.

In the detail pane, double-click Turn off Windows Defender Antivirus, read the help
text in the Turn off Windows Defender window, then select Disabled and select OK.

In Group Policy, you often have to use the logic of double negatives. For example,
you want to turn on Windows Defender, but there isn�t a policy to enable for that.
So, you must disable turning Windows Defender off, which has the same overall
effect.

Repeat this method to set Turn off routine remediation to Disabled.

Expand the Real-time Protection node within Windows Defender. Set Turn off real-
time protection to Disabled.

Changes made in Group Policy Editor are saved immediately, but this can take up to
two hours to roll out to all clients. Restarting the clients (sometimes twice in a
row) is one simple way to force the issue.

Restart the VM.