That's strange, I just re-enabled Windows Defender, updated its definitions and the task did stay disabled. At least on my end, the only other user with write access to the file is the administrators group, so nobody except me should be able to modify it. Though setting just Everyone to read-only access should be the most thorough action that can be accomplished by messing with permissions alone.
The only Windows 8 installations I have for testing is Windows 8.0 with zero updates and Windows 8.1 with only security updates 'till December 2017. There should be something out there available to monitor file access. Process Monitor perhaps? Maybe it can help determine what changes the task.
Edit: Forgot to mention, I noticed having Windows Defender enabled does cause Windows Update service to start at boot, that is, with both scheduled task disabled and that machine policy trigger removed.