Starting with Windows 8 or 2012 Server, deploying Windows Defender (previous Security Essentials / Antimalware) settings via registry does not work any more.
You get a 4098 error with message “0x80070005 access denied”. This happens because Microsoft started protecting certain registry keys.
Using AD Group Policy, enter “Computer Configuration -> Administrative Templates -> Windows Components -> Endpoint Protection” and modify your settings there.
In some situations the “Endpoint Protection” area seems to be named “Windows Defender” instead.