Microsoft Defender Antivirus is the built-in antivirus in Windows 10/11 and Windows Server and is enabled and configured by default. In this article, we will look at how to completely disable Defender in Windows 11 or temporarily (suspend).
In Windows 11 and 10, when installing a third-party antivirus, the built-in standard Microsoft Defender should be disabled. In some cases this does not happen automatically and you may need to manually disable Microsoft Defender.
Temporarily pause Microsoft Defender protection in Windows 11 and 10.
In some cases, you may need to temporarily disable Microsoft Defender protection without affecting important system services. For example, the launch or installation of some system program or utility is blocked by Microsoft Defender. To run such an application, you need to stop Windows Defender Real-time Protection.
- Go to the following Windows 11 settings section: Settings -> Privacy and Security -> Windows Security -> Open Windows Security (or run the settings shortcut command ms-settings:windowsdefender);
If the Microsoft Defender Security App does not start, you can repair it (under the hood is a UWP app Microsoft.SecHealthUI).
- Open the Virus and threat protection section , and click on the Manage Settings button in the Virus and Threat protection settings section;
- Move the Real-time protection switch to the Off position;
Confirm the suspension of anti-virus protection in the UAC privilege escalation confirmation window.
To restore Windows Defender computer protection, you need to turn on the switch. Also, Microsoft Defender Real-time Protection will be enabled automatically after you restart your computer.
Previously, we looked at how to manage Windows Defender Antivirus settings using PowerShell. The article discussed the PowerShell command to disable real-time protection:
Set-MpPreference -DisableRealtimeMonitoring $true
However, this command does not work as you expect in Windows 11 and the latest builds of Windows 10. The fact is that in Windows 10, starting from build 1903, a new Defender feature is enabled by default, called Microsoft Defender Tamper Protection ( Protection against fakes ).
Tamper protection provides additional protection for core Microsoft Defender security features. In particular, it blocks unauthorized changes to antivirus settings, suspension of real-time protection, and disabling cloud protection. This means that if Anti-Tampering is enabled, you won't be able to disable Real Time Protection in Microsoft Defender using PowerShell.
You can only disable Tamper Protection manually from the Windows Security graphical control panel.
Go to the settings section Virus and threat protection settings, scroll through the list of components and change the switch of the Tamper Protection parameter to Off .
After disabling Tamper Protection, you can disable real-time protection with the above PowerShell command.
How to disable Defender completely in Windows 11 and 10?
In earlier builds of Windows 10 and Windows Server 2016, you could turn off Windows Defender entirely through the Turn off Windows Defender Antivirus group policy setting under Computer Configurations -> Administrative Template -> Windows Component -> Windows Defender Antivirus in the local group policy editor gpedit.msc. Or the DisableAntiSpyware registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender corresponding to this GPO setting:
New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender” -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
To disable real-time protection, the Turn on behavior monitoring policy or the DisableBehaviorMonitoring =1 registry value in the above registry branch were used.
In all builds since Windows 10 1903 and Windows 11, these GPOs and registry keys cannot be used to disable Microsoft Defender, as its settings are protected by the new Tamper Protections option (discussed above). The methods previously used to disable Microsoft Defender Antivirus do not work on Windows 11.- To completely disable Windows Defender components, you need to boot your computer in safe mode. For this:Run the utility msconfig;
- Go to the Boot tab;
- Select the Safe boot -> Minimal option in the boot options section;
- Click OK and restart your computer;
- Your computer will boot into safe mode;
- Now you need to open the registry editor ( regedit.exe ), go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services branch and disable the following services:
- sensewdboot
- WdFilter
- WdNisDrv
- WdNisSvc
- windefend
To do this, change the value of the Start parameter to 4;
Change the Start parameter for all the listed services manually, or use the PowerShell script:
$regpath='HKLM:\SYSTEM\CurrentControlSet\Services'To enable Microsoft Defender in Windows, you need to set the following default value of the Start parameter in the branch of each service:
Set-ItemProperty -Path ($regpath+"\WinDefend") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\Sense") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdFilter") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdNisDrv") -Name Start -Value 4
Set-ItemProperty -Path ($regpath+"\WdNisSvc”) -Name Start -Value 4
- sense-3
- wdboot - 0
- WdFilter - 0
- WdNisDrv-3
- WdNisSvc - 3
- WinDefend-2
- Run msconfig and disable safe mode, restart your computer in normal mode;
- Disable all four tasks under Microsoft –> Windows –> Windows Defender Task Scheduler ( taskschd.msc );
Get-ScheduledTask “Windows Defender Cache Maintenance” | Disable-ScheduledTask
Get-ScheduledTask “Windows Defender Cleanup” | Disable-ScheduledTask
Get-ScheduledTask “Windows Defender Scheduled Scan” | Disable-ScheduledTask
Get-ScheduledTask “Windows Defender Verification” | Disable-ScheduledTask
You can disable Scheduler jobs using PowerShell:
- Launch the Windows Security app and make sure that Microsoft Defender Antivirus is now disabled. Threat service has stopped should appear here . Restart it now (Threat service stopped).
So, we have looked at how to disable Microsoft Defender protection in Windows 10 and 11.