Windows 11 Gaining full control over my Win11Pro system

[win11PROadm]

Dear people of the Windows forum. I came in here to learn how to use my Windows system. I switched to windows from Linux because I, due to being an avid gamer, want to eliminate all compatibility issues and decided to try to embrace the MS Windows system. One condition for me is that I can control my OS. I understand that in Windows there are limitations to the level of control I can have, due to the OS being proprietary, and I want to find out where those limits lay, and in how far I can control things. I upgraded to Pro to have better controls because in Home... Well I do not need to explain. But I am still facing an uphill battle vs so many automatized events and the system reverting regedit and gpedit policies I create. I wonder if this is standard or that I lack permissions/privileges. For one I want to fully control antivirus and update processes, but they constantly flip back. I can not imagine that a Win admin is unable to control these things, so I must be doing something wrong.

If someone here can explain me how I can become the administrator of my system, I will be most grateful.

Thank you!

 

[Mike]

Welcome to the forums. I'm sure everything is fine and you just need to run a malware scan or something. Can you explain in further detail what precise issue you are having? It sounds like you're confused by some sort of automation happening, but doesn't sound that bad... !

 

[win11PROadm]

would like to leave the room, so that you can use it, and in stead support Samrat

Welcome to the forums. I'm sure everything is fine and you just need to run a malware scan or something. Can you explain in further detail what precise issue you are having? It sounds like you're confused by some sort of automation happening, but doesn't sound that bad... !

Hello Mike, thank you for responding. My issue is basically that I want to do certain things and that the OS is not allowing me, even though I am using Windows 'Pro'. Basically I want to replace Windows Defender with third party av, preferably Clam AV, if I am able, but another third AV would be fine too as long as I do not manage to use Clam AV because setting it up seems quite the task.

Apart from this I would like to get a clear idea of what I can do and can not do and what elevations of permissions there are so that I can decide whether this OS is really for me. I do not like how GPedit and regedit are not telling me clearly em what I can change and what not. I change stuff and before you know it the changes are reverted. At least some of them. Some settings obey me and others don't. How to know the difference?

It makes me feel totally powerless. Sure, I can surf the net, watch vids, listen to music, write and play games and it all looks beautiful. But I do not get to see and utilize what is behind the hood, the computer, and the OS, which is the greatest reason of why i bought Windows. I want to know my system and cooperate with it. not just being driven around, like a handicapped man in a wheelchair....

I hope it is possible to master windows to such a degree that it will work for me instead of me being totally dependent on something hat will ever remain a mystery to me..

Please f anyone knows good books on becoming a power user?

 

[Neemobeer]

Windows Defender is a decent option for a free AV and if you want to stick with free that is what I would recommend. A lot of other free versions tend to be in the business of selling your information. Clam AV is not a good option for Windows. Clam AV is highly dependent on signatures which in this day and age are not effective at combating the threat landscape.

For training this is a good landing page for free resources: Windows 11 overview for administrators
Optionally you could check out the Windows 11 Inside out book or if you want to go really deep you can look at the Windows Internals series of books.

 

[Sunnyskyguy]

Yes, there are a ton of scheduled tasks and updates can revert settings.

 

[Neemobeer]

Group policy is the primary method IT people will control aspects of Windows operating systems. These typically do not revert or really change that often. gpedit is the common method for controlling group policy when systems are not joined to an Active Directory environment. Settings manually set through say Settings are not supposed to change but sometimes can as Sunny mentioned not to mention could be altered programmatically.

IT/Security professionals don't typically set settings randomly. They do usually leverage a benchmark or framework to make decisions on which settings to change with the goal of hardening operating systems. CIS is a very common benchmark to use CIS Benchmarks™

 

[win11PROadm]

Yes, there are a ton of scheduled tasks and updates can revert settings.

1. Do you mean that when changes I made get reverted it is only due to the Windows updates resetting them, or can it also be due to privileges that I do not have? I would appreciate it if Windows just told me I can not change something rather than letting me change it and then reverting it again behind my back, without even a notification that it happened.

2. What I also wonder is why is there a gpeditor if all can be done by regedit? It seems to me, a layer upon a layer. What is the rationale behind this?

3, Would having a Windows Enterprise version make it easier for me to disable the antivirus system entirely, without updates reverting it again behind my back? I would prefer to practice safe internet usage and do virus scans manually rather than having my system being taken over by applications that act on their own device.
I know that I can not easily use Windows Enterprise 11 tied to my hardware, that the license is not intended by MS to be used by consumers, but maybe it is possible to install Windows 10 Enterprise on my system, in the orderly manner? Or is Windows 10 completely off the table by now?

Thanks!

 

[Mike]

1. Do you mean that when changes I made get reverted it is only due to the Windows updates resetting them, or can it also be due to privileges that I do not have? I would appreciate it if Windows just told me I can not change something rather than letting me change it and then reverting it again behind my back, without even a notification that it happened.

2. What I also wonder is why is there a gpeditor if all can be done by regedit? It seems to me, a layer upon a layer. What is the rationale behind this?

3, Would having a Windows Enterprise version make it easier for me to disable the antivirus system entirely, without updates reverting it again behind my back? I would prefer to practice safe internet usage and do virus scans manually rather than having my system being taken over by applications that act on their own device.
I know that I can not easily use Windows Enterprise 11 tied to my hardware, that the license is not intended by MS to be used in that way, but maybe it is possible to install Windows 10 Enterprise in that way? Or is Windows 10 completely off the table by now?

Thanks!

Well I can't answer all of your questions, but for #2, the primary reason that you have group policy is to make the registry values and keypairs editable by humans running servers to make it manageable and coherent. Without these policies in plain English form, it would be difficult to manage. Suppose for a moment that I am making numerous changes in the registry. Now I have to go do that 10-20x per day as a part of my regular job function. The ledger that would have to be maintained would be so vast and huge, you would have to create a new registry that just keeps track of all of those other registry or datastores. In addition, the risk of making a critical and devestating irreversible change to one of the registries would increase over time. It is just a mangement capability that humans wrote to make it more coherent. Not only that, but not all group policies edit only the registry. There are policies that impact the behavior of the operating system at different levels.

 

[Mike]

3, Would having a Windows Enterprise version make it easier for me to disable the antivirus system entirely, without updates reverting it again behind my back? I would prefer to practice safe internet usage and do virus scans manually rather than having my system being taken over by applications that act on their own device.
I know that I can not easily use Windows Enterprise 11 tied to my hardware, that the license is not intended by MS to be used in that way, but maybe it is possible to install Windows 10 Enterprise in that way? Or is Windows 10 completely off the table by now?

Not really, to disable Windows Defender its pretty much one command in PowerShell.. the issue would be the zero day vulnerabilities and exploits coming in repeatedly from around the world. If your system were exposed to the Internet, it would eventually get compromised without any protection and perhaps even with the latest updates. You could have a zero day vulnerability come in, and if there was already reconaissance done on your network, it could be quickly exploited if you were a valuable target. Windows 10 support will likely continue for a long time to come, but it seems they intentionally obsoleted old systems to enforce more device-based security.

 

[win11PROadm]

Not really, to disable Windows Defender its pretty much one command in PowerShell.. the issue would be the zero day vulnerabilities and exploits coming in repeatedly from around the world. If your system were exposed to the Internet, it would eventually get compromised without any protection and perhaps even with the latest updates. You could have a zero day vulnerability come in, and if there was already reconaissance done on your network, it could be quickly exploited if you were a valuable target. Windows 10 support will likely continue for a long time to come, but it seems they intentionally obsoleted old systems to enforce more device-based security.

So that script would work in Win 11 Professional too? And would it have to be repeated every startup or can it be made permanently? I can also protect myself vs infection with regular backups. I prefer having to re-install my OS now and then over needing the constant help and interference of third parties being active within my system constantly. I might be a bit dogmatic but for me it is about sovereignty. I also hate that we are begin pushed around to renew our software constantly to keep up, while many older software was pretty good (Word 2003 comes to mind). I just want a working machine, and that's it, no interference needed. It is as if these companies aim to make themselves indispensable so that we keep shelling out cash. In my view anti-virus is just part of this treadmill. Tbh, the only time in my life that I had a trojan that I couldn't remove manually after the infection, I knew that I was going to have it, right before I ran the bloody file that did it. It was entirely avoidable.

 

[Mike]

So that script would work in Win 11 Professional too? And would it have to be repeated every startup or can it be made permanently? I can also protect myself vs infection with regular backups. I prefer having to re-install my OS now and then over needing the constant help and interference of third parties being active within my system constantly. I might be a bit dogmatic but for me it is about sovereignty. I also hate that we are begin pushed around to renew our software constantly to keep up, while many older software was pretty good (Word 2003 comes to mind). I just want a working machine, and that's it, no interference needed. It is as if these companies aim to make themselves indispensable so that we keep shelling out cash. In my view anti-virus is just part of this treadmill. Tbh, the only time in my life that I had a trojan that I couldn't remove manually after the infection, I knew that I was going to have it, right before I ran the bloody file that did it. It was entirely avoidable.

The only reason you would disable it without using an exception list might be because you are running an IDE in a development testbed or the system is airgapped.. you could always disable it, in the past gamers have even done so to squeeze out a few extra frames per second, but its really not worth it at this stage. The risk is not worth the reward. And yeah most of it is designed for social engineering to get you to click on the box.

 

[Sunnyskyguy]

e.g. To disable Defender in gpedit may not be enough as Win 10/11 became self-healing.

So I used this;

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"disableAntispyware"=dword:00000001
"disablespecialrunningmodes"=dword:00000001
"disableantivirus"=dword:00000001
"disableRoutinelyTakingAction"=dword:00000001
"ServiceKeepAlivE"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableOnaccessProtectioN"=dword:00000001
"DisableRealtimeProtection"=dword:00000001
"DisableBehaviorMonitorinG"=dword:00000001
"DisableScanOnRealTimeEnablE"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SignatureUpdatE]
"ForceUpdateFromMu"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SPyneT]
"DisableBlockatFirstSeeN"=dword:00000001

 

[Sunnyskyguy]

Get LatencyMon.exe to see what happens

 

[Mike]

So that script would work in Win 11 Professional too? And would it have to be repeated every startup or can it be made permanently?

Back up the registry before you do that. Here are the differences between 11 Pro and Enterprise (from our somewhat trusty ChatGPT integration...)

Feature	Windows 10 Pro	Windows 10 Enterprise
Security Features
Windows Defender Application Guard	No	Yes
Windows Defender Credential Guard	No	Yes
Windows Defender Advanced Threat Protection (ATP)	No	Yes
AppLocker	No	Yes
Device Guard	No	Yes
Management and Deployment
DirectAccess	No	Yes
Windows To Go	No	Yes
BranchCache	No	Yes
Start Screen Control	No	Yes
Managed User Experience	No	Yes
Enterprise-Level Features
Microsoft Application Virtualization (App-V)	No	Yes
Microsoft User Environment Virtualization (UE-V)	No	Yes
Licensing and Activation
Volume Activation	No	Yes

 

[ussnorway]

the old type admin account is still there under the hood of Windows 11 but you need to do aa fresh install without Microsoft account or internet in order to access it which basically means a oem bios install

shift F10 to open command prompt type OOBE\BYPASSNRO [enter] then restart the system to make a local account

and no an enterprise account is not better

 

[win11PROadm]

Okay, this is a quick response to all you kind people handing me all this very useful information (thank you for that!).

Just so you know: I will surely read all you guys have written, in my pauses.

In the mean time I have been trying a couple of suggestions that I got here and on the Eleven Forum.

I decided to definitely stay on the Windows path because

1. I need it for my video game purposes - this is a breaking point for me
1. stuff is a little bit more tightly structured compared to even the more structured Linux distro's, due to it being proprietary software
2. backward compatibility is much better than in Linux distro's, which are mostly continuously bleeding edge updated in a way that renders older software useless if it isn't updated too.
3. I managed to find apps that help me control what I see as Windows down side: the lack of control and privacy, due to it being proprietary software in 2024

I feel that i need to learn a lot to really master this OS and get real control because I am still relying on other people for it but because I have lot of other goals I choose to do this gradually and in the mean while use the following fantastic apps I found to help me remain sovereign:

Winaero Tweaker
ClamWin
MS Office 2016 without any of the Office 365 entanglements

Winaero has helped me to completely shut-up Windows Defender and Windows Update. I now can use ClamWin without any issue. Okay some on the Windows forums have told me this antivirus isn't as good as some others, and I surely believe them, but I find sovereignty of primordial importance. I just need to make sure I am properly backed up at all times and not execute anything that I do not trust 300%.

I finally have the feeling that I can use Windows and MS Office without the feeling that corporate companies are laying in bed with me, brushing my teeth every morning and telling me when I need to take a bath or go to the toilet.

A double thanks to all who helped me in that direction!

Cheers & have a great day

me