CHEF-KOCH's Microblog ✨

How to disable Windows Defender in Windows 10 and 11

This method will work 100%, but as always, there are multiple ways to come to the same goal. I'll describe all of them below. I keep it short and understandable even for beginners, keep in mind that all method require that you are admin or have admin rights on the OS level otherwise they will not work!

The old batch script from 2015 still works, except that Tamper Protection must be dealt with first.

Microsoft added this (and enabled it by default) in later Windows 10 Builds (1903+), so easily disabling WD with one single script is not anymore possible.

The protection was added because of malware protection reasons.

Dealing with Windows Defender's Tamper protection

reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f

This method ^^ does not work anymore. Someone wrote a complicated PoC to bypass all this, but I suggest using my method described below because it is 100% reliable.

Multiple methods to deal with Microsoft's Tamper Protection

Via install_wim_tweak.exe (does not work in Windows 11)

You get the program here. You need to execute the command twice, once and then again after the reboot.

install_wim_tweak.exe /o /c "Windows-Defender" /r

Via third-party AV

Install 3rd party AV, disable Defender's services, uninstall 3rd party AV.

Via Group Policy Editor

You need to manually disable it via GPO.

Via NSudo and other third-party tools

This is a last resort method and not really something you want to do under normal circumstances because those tool might trigger the AV, which means that the AV will block executing the processes - in this case - you must exclude them or add them to the whitelist first but WD will tell you.

We can take ownership of required files via NSudo or psexec, PowerRun, RunAsTI. They all do more or less the same in this context.

What I suggest

  • Use GPO because it survives in-place upgrade.
  • Alternative if you start a cmd terminal with TrustedInstaller privileges e.g. PowerRun OR RunAsTI, then execute the normal commands, the script disables windows defender as it should.
cd SCRIPT_PATH
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
.\disable-windows-defender.ps1 (you can use official ones or create your own or use mine from 2015 which is still on the www)

After dealing with Tamper Protection, execute the below script.

Disabling Windows Defender, Tasks, and all the rest...

Make sure you run it with admin privileges.

ECHO OFF
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
PAUSE

#Windows 11 #Windows #Windows 10 #Tamper protection #Windows Defender

- 3 toasts