Posted 23 March 2021 - 01:56 AM
So, I'm prepping Windows 10 Enterprise 20H2 for a ramdisk test. I had originally wanted to use LTSC, but decided against it, since it doesn't quite fit all my needs. I use Xbox Live Game Pass to play the latest AAA titles from the Windows Store. That works fine with non LTSC versions, but not LTSC. It is something about many of them only wanting to install on the most recent Windows 10 versions. There are also other reasons that I've moved away from LTSC, but won't go into detail.
I plan to trim out most of the unwanted Metro apps from the Enterprise image, but otherwise it will remain as near stock. It doesn't do much good to remove most other components, since Windows Update will just try to reinstall them. But it won't restore removed Metro apps (in my recent VM test, it didn't).
So far I've integrated the signed SVBus driver into the wim file with dism. I've did a real, live install from that wim. In Device Management, SVBus is initially shown as being loaded fine.
And here's the issue:
Not long after I boot up this cleanly installed OS, Windows Defender does a scan. It sees svbusx64.sys and deletes it, claiming it's a trojan. So I tried to restore it from quarantine, that worked, but it deletes it again and again. I tried adding an exclusion, but it still deletes the file.
So I reboot, Windows boots fine. But of course this file is gone, and SVBus shows as not loaded in DM.
So I extract this file from the archive, place it in the right directory, set admins group as owner and grant full access to all user groups, reboot. At this point I've already disabled Defender with the Group Policy editor. But DM still shows the driver as not loaded.
The only permanent solution I've found for this is to mount the wim, edit its' Registry offline, adding entries that permanently set Defender as disabled even before the first boot. If I clean install from that image, SVBus loads fine and stays loaded, Defender isn't active at all.
Is there a way to work around this, without disabling Defender?