First, we need to create a local administrative account to enforce the local policy. The firewall may not be enabled locally, due to managed policy. To create a local administrative account to enforce the local policy instead of the domain with a C program:
Then, block the EDR network range, since most EDRs are cloud based, the network range can be identified monitoring network traffic using Network Monitor (Signed by Microsoft: ):
After that, disable the service:
Some EDR prevent tampering from the kernel, so you can bring your own vulnerable driver to compromise the kernel and remove the kernel callback: