How to Disable All Windows Defender Protection Features via PowerShell (Complete Guide with Registry Tweaks)


2 views

Windows Defender (now Microsoft Defender) has multiple protection components that need to be disabled separately. The main components visible in the UI include:

  • Real-time protection
  • Cloud-delivered protection
  • Automatic sample submission
  • Tamper protection

Here's the complete set of PowerShell commands to disable all protection features:

# Disable real-time monitoring
Set-MpPreference -DisableRealtimeMonitoring $true

# Disable cloud-delivered protection
Set-MpPreference -MAPSReporting 0

# Disable automatic sample submission
Set-MpPreference -SubmitSamplesConsent 2

# Disable behavior monitoring
Set-MpPreference -DisableBehaviorMonitoring $true

# Disable intrusion prevention
Set-MpPreference -DisableIntrusionPreventionSystem $true

# Disable IOAV protection
Set-MpPreference -DisableIOAVProtection $true

# Disable script scanning
Set-MpPreference -DisableScriptScanning $true

Tamper protection requires registry changes or group policy modifications. Here's the registry approach:

# Create registry key if it doesn't exist
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0 -PropertyType DWORD -Force

After running these commands, verify the changes with:

Get-MpPreference | Select-Object DisableRealtimeMonitoring, MAPSReporting, SubmitSamplesConsent, DisableBehaviorMonitoring, DisableIntrusionPreventionSystem, DisableIOAVProtection, DisableScriptScanning
  • These changes require administrator privileges
  • Some settings may revert after Windows updates
  • Consider creating a script to reapply these settings automatically
  • For enterprise environments, group policy might override these settings

For domain-joined machines or when PowerShell changes don't stick:

# Export current policies
$PolicyFile = "$env:TEMP\DefenderSettings.pol"
secedit /export /cfg $PolicyFile

# Edit the file to include:
# [System Access]
# DisableAntiSpyware = 1
# DisableAntiVirus = 1

# Import modified policies
secedit /configure /db $env:windir\security\new.sdb /cfg $PolicyFile

To completely disable the Windows Defender service:

# Stop the service
Stop-Service -Name WinDefend -Force

# Disable the service
Set-Service -Name WinDefend -StartupType Disabled

# Optional: Disable related services
Stop-Service -Name Sense -Force
Set-Service -Name Sense -StartupType Disabled

Remember that disabling Windows Defender leaves your system vulnerable. Only do this when:

  • You're installing a third-party AV solution
  • You're working in a controlled, isolated environment
  • You accept the security risks

Many admins think running Set-MpPreference -DisableRealtimeMonitoring $true fully disables Windows Defender, but the UI still shows multiple active protections. From troubleshooting experience, here's what actually needs to be disabled:


# Core protection components
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -DisableBlockAtFirstSeen $true
Set-MpPreference -DisableScanningNetworkFiles $true
Set-MpPreference -DisableScriptScanning $true

# Cloud-delivered protection
Set-MpPreference -MAPSReporting 0
Set-MpPreference -SubmitSamplesConsent 2

# Tamper protection (Win10 1903+)
Set-MpPreference -DisableIntrusionPreventionSystem $true
Set-MpPreference -DisableIOAVProtection $true

After running these commands, check with:


Get-MpPreference | Select-Object *Disable*
Get-MpComputerStatus | Format-List

1. Group Policy may override these settings

2. Some Enterprise editions require additional registry tweaks:


New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -Force

3. Defender may re-enable itself after Windows Updates