How to Permanently Disable Windows Defender on Windows 11

Disabling Windows Defender (now called Microsoft Defender Antivirus) may be necessary for developers, software testers, or IT professionals. Deactivation allows for testing applications without interference or for installing a third-party antivirus solution.

Important: Disabling Defender leaves a system unprotected. Always re-enable security features after testing to protect against viruses and malware.

When Should You Disable Defender?

  • To test potentially malicious software for security research
  • When running programs that Defender falsely detects as threats
  • Before installing another antivirus for conflict prevention
  • To avoid real-time scans during performance-sensitive tasks

How to Temporarily Turn Off Windows Defender

  1. Open Windows Security.
  2. Go to Virus & threat protection settings.
  3. Toggle off Real-time protection.

This only disables Defender until the next reboot.

How to Permanently Disable Windows Defender with PowerShell

For a permanent solution, advanced users can use a PowerShell script to update system registry keys. Tamper Protection must be disabled manually in Windows Security before running the script. You will need Administrator rights.

PowerShell Script

# PowerShell script to permanently disable Microsoft Defender Antivirus on Windows 11
# Must be run as Administrator
# Before running, disable Tamper Protection manually from Windows Security settings

# Base registry path
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"

# Create Windows Defender key if it doesn't exist
If (-Not (Test-Path $regPath)) {
    New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft" -Name "Windows Defender" | Out-Null
}

# Set DWORD values to disable Defender core features
New-ItemProperty -Path $regPath -Name "DisableAntiSpyware" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path $regPath -Name "DisableRealtimeMonitoring" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path $regPath -Name "DisableAntiVirus" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path $regPath -Name "DisableSpecialRunningModes" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path $regPath -Name "DisableRoutinelyTakingAction" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path $regPath -Name "ServiceKeepAlive" -PropertyType DWord -Value 0 -Force

# Real-Time Protection subkey and its DWORD values
$rtpPath = "$regPath\Real-Time Protection"
If (-Not (Test-Path $rtpPath)) {
    New-Item -Path $regPath -Name "Real-Time Protection" | Out-Null
}

New-ItemProperty -Path $rtpPath -Name "DisableBehaviorMonitoring" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path $rtpPath -Name "DisableOnAccessProtection" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path $rtpPath -Name "DisableScanOnRealtimeEnable" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path $rtpPath -Name "DisableRealtimeMonitoring" -PropertyType DWord -Value 1 -Force

# Signature Updates subkey and its DWORD value
$sigPath = "$regPath\Signature Updates"
If (-Not (Test-Path $sigPath)) {
    New-Item -Path $regPath -Name "Signature Updates" | Out-Null
}
New-ItemProperty -Path $sigPath -Name "ForceUpdateFromMU" -PropertyType DWord -Value 1 -Force

# Spynet subkey and DWORD value
$spynetPath = "$regPath\Spynet"
If (-Not (Test-Path $spynetPath)) {
    New-Item -Path $regPath -Name "Spynet" | Out-Null
}
New-ItemProperty -Path $spynetPath -Name "DisableBlockAtFirstSeen" -PropertyType DWord -Value 1 -Force

Write-Host "Registry changes made to disable Microsoft Defender Antivirus permanently."
Write-Host "Please restart your computer for the changes to take effect."

What Does the Script Do?

  • Creates necessary registry keys to store settings if they don’t already exist
  • Disables real-time protection, antispyware, antivirus, and several automated actions
  • Disables background monitoring and active scanning features
  • Blocks signature updates and cloud-based protection features
  • Requires a system restart to fully apply changes

Explanation of the Script

  • The script operates by modifying Windows registry keys under the path HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender and its subkeys.
  • It sets various DWORD values to 1 to disable core antivirus features such as real-time monitoring, behavior monitoring, and automatic actions.
  • It creates registry keys if they do not already exist to ensure changes take effect.
  • The script disables signature updates and some intelligent security features like Spynet.
  • Important note: Tamper Protection in Windows Security must be disabled manually before running this script, as it prevents registry modifications related to Defender.
  • The script requires Administrator privileges and a system restart for changes to apply.
  • This method disables Defender permanently until reverted, useful in scenarios like testing or using alternative security solutions.

Safety and Testing Reminder

Disabling Microsoft Defender with this script is best reserved for controlled environments (like test labs or VMs). Do not disable essential security features on devices in daily use.

Junaid Ahmed
Junaid Ahmed

Junaid Ahmed is an enthusiastic Cybersecurity Manager and Azure Architect with a strong focus on cloud security, identity management, and passwordless adoption. He is passionate about helping organizations simplify their security approach, strengthen trust in the cloud, and embrace innovative technologies that drive both resilience and growth.

Articles: 36

Leave a Reply

Your email address will not be published. Required fields are marked *