Every time I use Remove reinstalls I stop being able to download files because Defender's Tamper Protection remains enabled when it shouldn't

[Windows 10 User (again5)]

so, i removed windows defender and disabled its settings (including tamper protection) in ntlite and created an image. after using that image to install windows 11 22h2 and afterwards installing a cumulative update, every time i use remove reinstalls, i stop being able to download some files because they're flagged as virus by windows defender's tamper protection when remove reinstalls should have removed windows defender and tamper protection along with it.

also, i can't even access windows defender to disable tamper protection because it doesn't even appear in settings, i can't open some files because they're flagged as virus by windows defender's tamper protection, and after opening those, some of them disappear against my will (i guess they're moved to windows defender's quarantine, and like i said, i can't even open windows defender to move them back). also, even some files that i don't even open and are flagged as virus by windows defender's tamper protection disappear (again, i guess they're moved to windows defender's quarantine).

 

[Clanger]

Post your preset, remove any windows keys and personal information.

 

[Windows 10 User (again5)]

could you tell me how to do that?

 

[Clanger]

The preset that was created when you built the image, they appear on the far right hand side of the Source page, use the "attach files" burtton below.

 

[Windows 10 User (again5)]

ok, thanks, but i only removed windows defender in apps and disabled its setting in the other tab.

 

[garlin]

Tamper Protection can only be disabled by adding a reg file, integrated into the image. By design, you can't defeat it after the system is booted except by going the Security Center control panel and flipping the switch.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000

AFAIK, applying the monthly CU doesn't change the Tamper Protection setting, because it can be legitimately disabled by users.

 

[Windows 10 User (again5)]

Tamper Protection can only be disabled by adding a reg file, integrated into the image. By design, you can't defeat it after the system is booted except by going the Security Center control panel and flipping the switch.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000

AFAIK, applying the monthly CU doesn't change the Tamper Protection setting, because it can be legitimately disabled by users.

it doesn't let me import that reg key in a live install but iirc if i disable it in ntlite, it's disabled after installing windows 11 22h2.

 

[nuhi]

RalphAnime, I noticed something similar and should be fixed in next, I can send a test version if interested in confirming yourself with an option to influence faster changes.
Basically Defender on re-removal would trigger DISM-only removal of the app only, not the deeper cleanup necessary to remove the services as well.
You could even try with the current version to reload C:\Windows, if Defender is listed, uncheck it for removal again, but this time in the toolbar change App removal mode from DISM to Custom, apply.

Thanks for the feedback.

 

[Windows 10 User (again5)]

RalphAnime, I noticed something similar and should be fixed in next, I can send a test version if interested in confirming yourself with an option to influence faster changes.
Basically Defender on re-removal would trigger DISM-only removal of the app only, not the deeper cleanup necessary to remove the services as well.
You could even try with the current version to reload C:\Windows, if Defender is listed, uncheck it for removal again, but this time in the toolbar change App removal mode from DISM to Custom, apply.

Thanks for the feedback.

thanks. could you send me the version?

you mean, dism + custom?

edit: windows defender appears after loading c:\windows in ntlite and this time below system guard inside system and not inside apps. weird.

edit 2: i removed windows defender in ntlite after using the dism + custom setting in app removal mode and it looks like it was finally removed so i'm not having this problem again.

 

[Windows 10 User (again5)]

RalphAnime, I noticed something similar and should be fixed in next, I can send a test version if interested in confirming yourself with an option to influence faster changes.
Basically Defender on re-removal would trigger DISM-only removal of the app only, not the deeper cleanup necessary to remove the services as well.
You could even try with the current version to reload C:\Windows, if Defender is listed, uncheck it for removal again, but this time in the toolbar change App removal mode from DISM to Custom, apply.

Thanks for the feedback.

nuhi, i still have this problem in the latest ntlite version after using remove reinstalls.

 

[nuhi]

nuhi, i still have this problem in the latest ntlite version after using remove reinstalls.

Oh, apologies, this is a simple component detection issue. As mentioned above I experienced and fixed a similar situation, silly me for not retesting the exact scenario.
Did it now, finished the fix and uploaded a newer one.
Nothing is lost as Remove Reinstalls can be ran repeatedly, basically Remove Reinstalls will now see the half-returned Defender - there were 2 issues in this case it seems.

Let me know how it goes.

 

[Windows 10 User (again5)]

Oh, apologies, this is a simple component detection issue. As mentioned above I experienced and fixed a similar situation, silly me for not retesting the exact scenario.
Did it now, finished the fix and uploaded a newer one.
Nothing is lost as Remove Reinstalls can be ran repeatedly, basically Remove Reinstalls will now see the half-returned Defender - there were 2 issues in this case it seems.

Let me know how it goes.

nuhi, now ntlite always crashes right after clicking remove reinstalls.

 

[nuhi]

nuhi, now ntlite always crashes right after clicking remove reinstalls.

Well... sometimes stars align like that.
I tested it after loading the system, then no crash, but if it's done fresh without first loading, it crashes indeed.
My testing VMs are set so NTLite is ran automatically, will have this in mind for future testing.

Thanks for the feedback, fix uploaded, let me know how it goes.
If you don't give up, it will get there, I hope you forgive my lack of deeper testing in this thread.

 

[Windows 10 User (again5)]

Well... sometimes stars align like that.
I tested it after loading the system, then no crash, but if it's done fresh without first loading, it crashes indeed.
My testing VMs are set so NTLite is ran automatically, will have this in mind for future testing.

Thanks for the feedback, fix uploaded, let me know how it goes.
If you don't give up, it will get there, I hope you forgive my lack of deeper testing in this thread.

you're welcome. thank you for creating this great tool. it looks like tamper protection was finally removed. should one always use remove reinstalls after each cu install or may he/she use it after installing two or more cus in a row?

 

[nuhi]

you're welcome. thank you for creating this great tool. finally, it looks like tamper protection was finally removed. should one always use remove reinstalls after each cu install or may he/she use it after installing two or more cus in a row?

After each. Will automate its cleanup eventually, seems like it's here to stay.
It's not complicated to detect Windows build change after successful reboot, then prompt a user to cleanup, or to do it automatically in the background in the future, etc.

 

[Windows 10 User (again5)]

After each. Will automate its cleanup eventually, seems like it's here to stay.
It's not complicated to detect Windows build change after successful reboot, then prompt a user to cleanup, or to do it automatically in the background in the future, etc.

what would happen if one installs two cus and then uses remove reinstalls instead of using it after installing each cu? i'm asking this because one might forget to do it since in some cases a cu appears and right after being installed another one is offered and the latter might ask the user to be installed (maybe it's optional) unlike the former. currently, i'm having that situation.

also, after installing a cu, windows search and settings app search aren't working. i kept windows search, cortana and ctfmon. the latter doesn't appear in task manager so does that mean installing a cu removes it? after using remove reinstalls, it appears in task manager again so does that mean remove reinstalls gets it back and i'll always have this problem after installing cus so i'll always have to use remove reinstalls? also, when using remove reinstalls, a window appears saying "ctfmon.exe success unknown hard error" right at the end, and after clicking ok, ntlite asks to restart the pc to complete the remove reinstalls process.

 

[nuhi]

what would happen if one installs two cus and then uses remove reinstalls instead of using it after installing each cu? i'm asking this because one might forget to do it since in some cases a cu appears and right after being installed another one is offered and the latter might ask the user to be installed (maybe it's optional) unlike the former. currently, i'm having that situation.

Might be fine, haven't tested that thoroughly and may depend on the specific situation. But as a guess, should be ok.

also, after installing a cu, windows search and settings app search aren't working. i kept windows search, cortana and ctfmon. the latter doesn't appear in task manager so does that mean installing a cu removes it? after using remove reinstalls, it appears in task manager again so does that mean remove reinstalls gets it back and i'll always have this problem after installing cus so i'll always have to use remove reinstalls? also, when using remove reinstalls, a window appears saying "ctfmon.exe success unknown hard error" right at the end, and after clicking ok, ntlite asks to restart the pc to complete the remove reinstalls process.

That's a lot of questions, basically your conclusion should be: run remove reinstalls, and wait for the automation of it to make it easier.