How to Disable All Windows Defender Protection Features via PowerShell (Complete Guide with Registry Tweaks)


18 views

Windows Defender (now Microsoft Defender) has multiple protection components that need to be disabled separately. The main components visible in the UI include:

  • Real-time protection
  • Cloud-delivered protection
  • Automatic sample submission
  • Tamper protection

Here's the complete set of PowerShell commands to disable all protection features:

# Disable real-time monitoring
Set-MpPreference -DisableRealtimeMonitoring $true

# Disable cloud-delivered protection
Set-MpPreference -MAPSReporting 0

# Disable automatic sample submission
Set-MpPreference -SubmitSamplesConsent 2

# Disable behavior monitoring
Set-MpPreference -DisableBehaviorMonitoring $true

# Disable intrusion prevention
Set-MpPreference -DisableIntrusionPreventionSystem $true

# Disable IOAV protection
Set-MpPreference -DisableIOAVProtection $true

# Disable script scanning
Set-MpPreference -DisableScriptScanning $true

Tamper protection requires registry changes or group policy modifications. Here's the registry approach:

# Create registry key if it doesn't exist
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0 -PropertyType DWORD -Force

After running these commands, verify the changes with:

Get-MpPreference | Select-Object DisableRealtimeMonitoring, MAPSReporting, SubmitSamplesConsent, DisableBehaviorMonitoring, DisableIntrusionPreventionSystem, DisableIOAVProtection, DisableScriptScanning
  • These changes require administrator privileges
  • Some settings may revert after Windows updates
  • Consider creating a script to reapply these settings automatically
  • For enterprise environments, group policy might override these settings

For domain-joined machines or when PowerShell changes don't stick:

# Export current policies
$PolicyFile = "$env:TEMP\DefenderSettings.pol"
secedit /export /cfg $PolicyFile

# Edit the file to include:
# [System Access]
# DisableAntiSpyware = 1
# DisableAntiVirus = 1

# Import modified policies
secedit /configure /db $env:windir\security\new.sdb /cfg $PolicyFile

To completely disable the Windows Defender service:

# Stop the service
Stop-Service -Name WinDefend -Force

# Disable the service
Set-Service -Name WinDefend -StartupType Disabled

# Optional: Disable related services
Stop-Service -Name Sense -Force
Set-Service -Name Sense -StartupType Disabled

Remember that disabling Windows Defender leaves your system vulnerable. Only do this when:

  • You're installing a third-party AV solution
  • You're working in a controlled, isolated environment
  • You accept the security risks

Many admins think running Set-MpPreference -DisableRealtimeMonitoring $true fully disables Windows Defender, but the UI still shows multiple active protections. From troubleshooting experience, here's what actually needs to be disabled:


# Core protection components
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -DisableBlockAtFirstSeen $true
Set-MpPreference -DisableScanningNetworkFiles $true
Set-MpPreference -DisableScriptScanning $true

# Cloud-delivered protection
Set-MpPreference -MAPSReporting 0
Set-MpPreference -SubmitSamplesConsent 2

# Tamper protection (Win10 1903+)
Set-MpPreference -DisableIntrusionPreventionSystem $true
Set-MpPreference -DisableIOAVProtection $true

After running these commands, check with:


Get-MpPreference | Select-Object *Disable*
Get-MpComputerStatus | Format-List

1. Group Policy may override these settings

2. Some Enterprise editions require additional registry tweaks:


New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -Force

3. Defender may re-enable itself after Windows Updates