PowerShell: Disable Windows Defender

Even though Windows Defender can run along side Enterprise antivirus software such as McAfee or Norton, it would be necessary to disable it on systems that already have those security applications installed. Here are two automated methods to get this done.

1. PowerShell on Localhost

On Windows 2012 R2, these commands would have worked

# Disable Defender's Real Time scanning engine
Set-MpPreference -DisableRealtimeMonitoring $True

# Deactivate the scanning engine via registry
Set-ItemProperty -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Force

However, the above lines are no longer valid for Windows 10 & 2016 (source: https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform). On KB4052623, Microsoft has changed to registry location of Defender. Hence, Active Directory Group Policy and PowerShell commands to disable this feature are no longer effective.

For those who are interested in security topics, these are the related advisories leading to this change:

  • https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11937
  • https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11940
# My fancy way to check if WinDefend is installed
try{Get-MpComputerStatus;"Windows Defender IS enabled on this system.";}
catch{"Windows Defender is NOT enabled on this system.";}

# This is the better method provided by Michael Shoff
sc query windefend
# Disable it within the registry (failed attempt)
Set-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Force
# Error
PS C:\Users\tester> Set-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Force
Set-ItemProperty : Requested registry access is not allowed.
At line:1 char:1
+ Set-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows Def ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKLM\SOFTWARE\Microsoft\Windows Defender:String) [Set-ItemProperty],
SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.SetItemPropertyCommand
# Attempt to set permissions (failed)
$acl = Get-Acl "Registry::HKLM\SOFTWARE\Microsoft\Windows Defender"
$fullControl = New-Object System.Security.AccessControl.RegistryAccessRule ("$env:COMPUTERNAME\Administrators","FullControl","Allow")
$acl.SetAccessRule($fullControl)

In case you’re sensing that all this has been non-sense; without further adieu, this is the line to address the issue.

# Uninstall WinDefend
Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
2. Group Policy

Run ADUC: Create new GPO as follows:
Computer configuration > Administrative templates > Windows components > Windows Defender > Set these values:

Turn off Windows Defender = Enabled
Real-time protection = Off (optional as Defender has already turned off per the preceding setting)

Please note that this GP instruction is to be applied toward Windows 2016 & 2019. This may not work for Windows 2008, 2012, and Linux.

Leave a Reply

Your email address will not be published. Required fields are marked *