Because of a special case, Locked Down mode is running the Windows Security processes as Guarded and in Privacy Mode. The Guarding of those processes is the reason you cannot modify settings, update signatures manually, install new modules via Windows Update, etc. Normally, Locked Down mode will not even allow Microsoft signed processes to launch from User Space, but as I said, there is a special case.
Protected mode allows Microsoft processes to launch from User Space (e.g. ProgramData) - but the Trusted Publisher List settings for Microsoft are applied. That means the Windows Security process will run Memory Guarded.
Version 4 does not, and will not be made by AppGuard LLC, to support Microsoft's movement of Windows 10 security services from Program Files to ProgramData. Essentially, Microsoft moved all security processes from System Space to User Space on Windows 10 back in Oct 2017. Furthermore, starting with Windows 10 1803, Microsoft deleted a security process running from ProgramData. So everyone will have to keep an eye on Microsoft's unilateral changes because they are not going to notify anyone about such changes.
https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform
The user hotfixes in versions 4.X and 5.2.X are easy enough... they are just simple policy exceptions:
For Locked Down mode:
For Windows 10 1803, make the following exceptions in User Space (except for the mpengine.exe - which was removed from ProgramData on 1803):
For Protected mode:
Set MEMORY to OFF in the Trusted Publisher List for Microsoft.
Last edited by a moderator:
