NTLite already setsAfter testing, I confirmed the reg changes work on:
- W10 20H2 Home & Pro- W10 21H2 Home & Pro- W11 Home & Pro
For the next release, NTLite needs to add the Windows Defender settings:
Code:[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableRealtimeMonitoring" "DisableAntiVirus"
Sorry I didn't fully understand, but I need to clear the doubt I'm doing this in an iso image, so first I need to check the tamper protection option - disable.Either way, the reg file works. But order of execution is important.
Unless the Tamper Protection flag is disabled in the image, after the system boots there is no way to change it outside of the Security Center (and rebooting). Therefore the reg file must be integrated in the image, and not applied in Post-Setup.
When Tamper Protection is enabled, all the other Defender settings can't be touched by command line. A reboot is always required since tamper protection is applied at boot time.
Allright... I'll start over again. I extracted my untouched install.wim file (W11 23H2); downloaded the Reg File and I'm going to Add it as you taught here.I ran RegistryChangesView, and ended up with this final reg file:
Code:Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features] "TamperProtection"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableRealtimeMonitoring"=dword:00000001 "DisableAntiVirus"=dword:00000001 ; Microsoft Defender Antivirus Mini-Filter Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter] "Start"=dword:00000004 Microsoft Defender Antivirus Network Inspection System Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv] "Start"=dword:00000004 ; Microsoft Defender Antivirus Network Inspection Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc] "Start"=dword:00000004 ; Microsoft Defender Antivirus Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] "Start"=dword:00000004
SUCCESS!! This tweak works even after several reboots. When you bring up the Windows Security control panel, it may take a minute before "Getting protection info..." times out and reports "No active antivirus provider".
Integrate this reg file into the image.
I ran RegistryChangesView, and ended up with this final reg file:
Code:Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features] "TamperProtection"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableRealtimeMonitoring"=dword:00000001 "DisableAntiVirus"=dword:00000001 ; Microsoft Defender Antivirus Mini-Filter Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter] "Start"=dword:00000004 Microsoft Defender Antivirus Network Inspection System Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv] "Start"=dword:00000004 ; Microsoft Defender Antivirus Network Inspection Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc] "Start"=dword:00000004 ; Microsoft Defender Antivirus Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] "Start"=dword:00000004
SUCCESS!! This tweak works even after several reboots. When you bring up the Windows Security control panel, it may take a minute before "Getting protection info..." times out and reports "No active antivirus provider".
Integrate this reg file into the image.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001
"DisableSpecialRunningModes"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"ServiceKeepAlive"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"ForceUpdateFromMU"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"DisableBlockAtFirstSeen"=dword:00000001
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001
; Microsoft Defender Antivirus Mini-Filter Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004
Microsoft Defender Antivirus Network Inspection System Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004
; Microsoft Defender Antivirus Network Inspection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004
; Microsoft Defender Antivirus Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
For Method 1, you can ask the Author here:I don't understand why you're adding more settings than are required.
Users can make up their minds, but I strongly suggest using post #13 unless you can explain why your extra changes make a real difference.
It's not mentioned often in these discussions, so I just want to point out to readers that NTLite can actually uninstall Defender, which results in the smallest image size, and performance is the absolute best, since all the drivers and services are removed, making it have zero overhead.
However, unless this was fixed, the downside to uninstalling the Defender component is that it will also remove the Security Center app as well, which is a separate interface used to toggle many important security features. Those settings could still be toggled manually via direct registry tweaking, but the interface is much easier to use, since these settings happen to be numerous and complicated.
Also, I agree with Garlin that the least number of tweaks should be used, and I think after seeing all the solutions out there, the absolute minimum number of reg keys needed to disable Defender is probably just 1-3 keys at most, which my experience tells me is a combination of "DisableAntiSpyware", "DisableRealtimeMonitoring", and "TamperProtection". Everything else is likely unnecessary, snakeoil, or operator-error from not using them properly.
Done.I'll fix this. I'll call Method 2 of "Method 2 (Garlin's Method)".
ô loko, brasileiro papai???Unfortunately it is not working, as shown in the photos the antivirus service continues to work normally.
I actually like the details in method 3 despite requiring more work...thanks for compiling these informationHi...
Three validated alternatives to Disable Defender in Windows 11 - all versions. Make sure to read everything.
All thanks to Pureinfotech, Garlin and Windows OS Hub. I only put them all together in one single post and adapted the methods to NTLite procedures.
Open NTLite and Load your install.wim file.
► METHOD 1: Integrating Registry Entries - #1 Easiest way [No Services Deactivation]
Based in disabling Tamper Protection and 12 Defender Settings. Integrate the Attached Registry File W11 - Disable Microsoft Defender.
Code:Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features] "TamperProtection"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableRealtimeMonitoring"=dword:00000001 "DisableAntiVirus"=dword:00000001 "DisableSpecialRunningModes"=dword:00000001 "DisableRoutinelyTakingAction"=dword:00000001 "ServiceKeepAlive"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] "DisableBehaviorMonitoring"=dword:00000001 "DisableOnAccessProtection"=dword:00000001 "DisableScanOnRealtimeEnable"=dword:00000001 "DisableRealtimeMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates] "ForceUpdateFromMU"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet] "DisableBlockAtFirstSeen"=dword:00000001
► METHOD 2 (Garlin's Method): Integrating Registry Entries - #2 Easiest way [With Services Deactivation]
Based in disabling Tamper Protection, 3 Defender Settings and 4 Defender Services. Integrate the Attached Registry File W11 - Disable Microsoft Defender (Garlin's Method).
Code:Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features] "TamperProtection"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableRealtimeMonitoring"=dword:00000001 "DisableAntiVirus"=dword:00000001 ; Microsoft Defender Antivirus Mini-Filter Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter] "Start"=dword:00000004 Microsoft Defender Antivirus Network Inspection System Driver [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv] "Start"=dword:00000004 ; Microsoft Defender Antivirus Network Inspection Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc] "Start"=dword:00000004 ; Microsoft Defender Antivirus Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] "Start"=dword:00000004
► METHOD 3: Following NTLite options
In resume, this method is the same as the last one (Garlin's), but using NTLite paths.
* Step 1: Disable 1 Setting of Microsoft Defender
On Left Panel, go to Configure > Settings > Window Defender
Done.
- Tamper Protection - Disabled
- Windows Defender - Disabled
* Step 2: Disable 6 Services of Microsoft Defender (Windows Defender):
On left panel, go to Configure > Services
Then, Configure > Extra Services
- WdNisSvc - Disabled
- WinDefend - Disabled
Done.
- WdFilter - Disabled
- WdNisDrv - Disabled
That's it! Microsoft Defender is now Permanently Disabled.
► Optional: Disable or Remove 4 Windows Defender Scheculed Tasks:
For sure, Defender's already disabled. But if you want even more guarantee, you can Disable/Remove a few tasks of it. Select one option.
1. Disable Tasks in Windows
After clean install of windows, in first boot, open Task Scheduler > Task Scheduler Libray > Microsoft > Windows > Windows Defender
View attachment 11161
- Disable the four tasks
2. Remove Tasks in NTLite ("to remove" is the only option offered)On left panel, go to Remove > Scheduled Tasks > Windows Defender
Done.
- Windows Defender Cache Maintenance - Remove
- Windows Defender Cleanup - Remove
- Windows Defender Scheduled Scan - Remove
- Windows Defender Verification - Remove
Important: After you intall your desired AntiVirus, careful with "Microsoft Defender Antivirus periodic scanning for threats" option. If you switch to ON, in all circunstances Defender will be re-enabled. Re-apply one of the Reg Files in Safe Mode (Disable Tamper Protection & Defender first) and reboot the OS.
View attachment 11162
More Info: The alternatives above have different principles of deactivation, but they're interconnected. If you change one, you affect the other and that's why both work. Pick One and Go Ahead.
References: PureInfoTech, Garden's Method, Windows OS Hub