Disable Windows Defender in Windows 11

jlsupremo

New Member
Hello, how can I disable Windows Defender in Windows 11, I can disable it in all versions except Windows 11, can someone explain to me if there is a way to completely disable it in Windows 11, Thank you.

I check the option to disable, and use sysprep, when windows starts the first time windows defender is active again.
 
Last edited:

Hellbovine

Active Member
You will need to translate your posts to english, per the forum rules, please.

Can you tell us what you tried so far, that did not work? For example, did you use NTLite to uninstall defender?
 

jlsupremo

New Member
You will need to translate your posts to english, per the forum rules, please.

Can you tell us what you tried so far, that did not work? For example, did you use NTLite to uninstall defender?
I need to completely disable Windows Defender on Win11, but it always comes back on when I install the iso.

Windows7 = successfully disabled.
Windows8.1 = successfully disabled.
Windows10 = Disabled successfully.
Windows11 = does not deactivate, it becomes active again when you install the iso.
 

Hellbovine

Active Member
I'm guessing the problem you are running into is this:

You are connected to the internet while you are installing Windows. When Windows update and the scheduled tasks for Defender run some checks they end up reinstalling Defender.

Try to unplug your router or the ethernet cable from your computer during the install process. Or, disable/pause Windows Update.

You also never mentioned *how* you tried to disable Defender. Have you tried using NTLite to remove it entirely? NTLite will remove the component and then also put in a group policy registry key that disables Defender too, so it doesn't try to run and update/install itself again.
 

jlsupremo

New Member
I'm guessing the problem you are running into is this:

You are connected to the internet while you are installing Windows. When Windows update and the scheduled tasks for Defender run some checks they end up reinstalling Defender.

Try to unplug your router or the ethernet cable from your computer during the install process. Or, disable/pause Windows Update.

You also never mentioned *how* you tried to disable Defender. Have you tried using NTLite to remove it entirely? NTLite will remove the component and then also put in a group policy registry key that disables Defender too, so it doesn't try to run and update/install itself again.
Yes, friend, I use NTLite to remove Defender, I always use it, but only on windows 11, it does not work, it has a status of deactivated in NTLITE, but when I install windows it activates again, until the windows version 10, I remove it through ntlite and it doesn't get active again, it works perfectly until windows 10.
But with windows 11 it is not working.
 

Necrosaro

Active Member
Yes, friend, I use NTLite to remove Defender, I always use it, but only on windows 11, it does not work, it has a status of deactivated in NTLITE, but when I install windows it activates again, until the windows version 10, I remove it through ntlite and it doesn't get active again, it works perfectly until windows 10.
But with windows 11 it is not working.
I ended up having issues too with windows 11 so sometimes I have to use an aftermarket program to disable it if it gets really stubborn. Then I go to NtLite and remove the bugger.
 

jlsupremo

New Member

Attachments

  • Salvo automaticamente 77a6a502.xml
    4.9 KB

Hellbovine

Active Member
Okay, this is what I suspected. I am not very good at reading NTLite xml presets yet, so if I am incorrect, someone please let me know.

But, what I see is this:
<Tweak name="Windows Defender\DisableAntiSpyware">1</Tweak>

You are not actually uninstalling Defender. Instead it's just adding a group policy key to disable Defender. Microsoft has probably deprecated this key perhaps (or Windows Update and Defender services are removing/ignoring it at some stage during the install process).

Try to actually go to "Components" and uninstall Defender in NTLite, then see what happens.
 
Last edited:

Hellbovine

Active Member
Also, for anyone curious, in Windows 10 21H2, I was able to disable Defender with just registry keys, even on Home edition, which I had to figure out myself because all of the solutions I came across on the internet were not working as expected, for this edition. Since Windows 11 is generally considered a re-skin of Windows 10, there's a good possibility that this method still applies, but I cannot guarantee that without trying it myself, so some testing will be needed to see what is relevant.

If you want to look at the keys I used and experiment (which is what I would do if I had W11), check out this link and download the Tweaks folder I attached, then extract the contents, and edit the Security registry file to see the keys and the comments on them:
https://www.ntlite.com/community/index.php?threads/guide-optimized-image.2990/

If the keys work, you could take it a step further and uninstall Defender using NTLite, process that, then integrate the relevant reg keys and process that, to be extra sure it stays disabled.
 

garlin

Moderator
Staff member
Maybe we should get a second opinion (Shawn Brink).

Enable or Disable Microsoft Defender Antivirus in Windows 11
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 11
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000

I made those two changes on RTM (unpatched), and Defender re-enabled itself after my first reboot.

AveYo suggests disabling Defender services, which can be done in offline images without requiring any takeown commands.
Code:
;Microsoft Defender Antivirus Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

;Microsoft Defender Antivirus Network Inspection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

;Windows Defender Antivirus Network Inspection System Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

;Windows Defender Advanced Threat Protection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]
"Start"=dword:00000004

That worked for a while, then Defender re-enabled itself. Some folks suggested Sordum's Defender Control 2.1, which worked better.
Maybe someone can run ProcessMonitor and see what they're doing differently.
 

Attachments

  • Screenshot 2022-09-02 001141.png
    Screenshot 2022-09-02 001141.png
    56.8 KB

Necrosaro

Active Member
Maybe we should get a second opinion (Shawn Brink).

Enable or Disable Microsoft Defender Antivirus in Windows 11

Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 11


I made those two changes on RTM (unpatched), and Defender re-enabled itself after my first reboot.

AveYo suggests disabling Defender services, which can be done in offline images without requiring any takeown commands.
Code:
;Microsoft Defender Antivirus Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

;Microsoft Defender Antivirus Network Inspection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

;Windows Defender Antivirus Network Inspection System Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

;Windows Defender Advanced Threat Protection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]
"Start"=dword:00000004

That worked for a while, then Defender re-enabled itself. Some folks suggested Sordum's Defender Control 2.1, which worked better.
Maybe someone can run ProcessMonitor and see what they're doing differently.
Used Sordum's Defender Control 2.1 if I had issues too. After it's disabled I just removed Defender then removed the program.
 

garlin

Moderator
Staff member
I ran RegistryChangesView, and ended up with this final reg file:
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001

; Microsoft Defender Antivirus Mini-Filter Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004

 Microsoft Defender Antivirus Network Inspection System Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

; Microsoft Defender Antivirus Network Inspection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

; Microsoft Defender Antivirus Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

SUCCESS!! This tweak works even after several reboots. When you bring up the Windows Security control panel, it may take a minute before "Getting protection info..." times out and reports "No active antivirus provider".

Integrate this reg file into the image.
 

Attachments

  • Windows 10 x64-2022-09-02-08-40-30.png
    Windows 10 x64-2022-09-02-08-40-30.png
    69.6 KB
  • Disable Windows Defender.reg
    1.8 KB

garlin

Moderator
Staff member
You are connected to the internet while you are installing Windows. When Windows update and the scheduled tasks for Defender run some checks they end up reinstalling Defender.

Try to unplug your router or the ethernet cable from your computer during the install process. Or, disable/pause Windows Update.
I ran Windows Update on my unpatched (but reg-edited) image, and it didn't re-enable Defender.

Seriously guys, the "unplug my network cable" fairy tale doesn't apply... :confused:
 

Hellbovine

Active Member
I think there’s a lot more to consider before writing this off as a final solution:
1) It seems to me, that this means NTLite will need an update for W10 and W11, because it's not as simple as turning on the group policy anymore, by itself, since both of these operating systems in the newer editions require layers of settings to disable Defender. Agreed?

2) The other thing to consider, is that the poster wasn't actually uninstalling Defender, which at one point is what was being implied, "I use NTLite to remove Defender" and "I remove it through ntlite". Instead, they were just toggling the reg key setting in NTLite to disable it. So I'm curious if removing the component on W11 avoids the issues.

Months ago in my testing I did remove it in W10 via NTLite, and it seemed to work well, but I would need to revisit that, now that I have learned more about Windows Update and Defender behaviors in W10 as my custom image progressed.

3) I started out using TenForums as well, but their tutorial didn't work on W10 21H2 Home, same as it didn't work here on W11 21H2 Pro. Both tutorials on Ten/Eleven Forums need to be updated, since I have shown with my keys (and you did too for W11) that it is possible to fully disable Defender, even with all the disclaimers on the tutorial and statements made by Microsoft.

I still fully standby my solution for my W10 edition until proven wrong (you don't need my entire reg file obviously, just the relevant ones based on the comments). Also it's possible these tutorials were just never the solution to begin with, which I think is really the case, as I'll expand on more in the items below.

4) That one DisableAntiSpyware policy key doesn't fully turn off all of the Defender features, as there are other parts that continue to run which appear in Task Manager (antimalware / on W10 21H2 Home at least), and that's why I had to layer it, like you ended up doing too in W11.

5) I would specifically test this on Home edition if possible, because I've come across too many policies in general, that no longer work on Home edition and/or W10 21H2 in my testing. This is a big part of why I always went with user-toggled keys rather than policies, but also because I didn't want to lock pages down if I could avoid doing so.

6) I am curious about TamperProtection, because you have a value of 0, I have 4 when I toggle it off as a user in W10.

7) You toggled these services, but I don't see them in the W10 services panel, but they do appear in my regedit?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]

On that note, I'd suggest adding comments to all the keys so that people know what they are changing.

8) The other thing to try if you didn't already, is to go ahead and integrate it and install that to test. When I tried to disable the Defender and WU services on W10 via integration, Windows Setup errors out. I'm not sure exactly which service(s) was responsible yet, but I had made a post about it, I just haven't had the time to do a bunch of re-installs and figure out precisely which one(s) are at fault and in what combination:
https://www.ntlite.com/community/index.php?threads/ntlite-image-failure.2860/

9) I think you are oversimplifying the internet fairy tale thing, if you have an active internet connection then updates are going to be installed when you install Windows. It seems like all of your testing here is on a live desktop, not taking into account Windows Setup, user provisioning, etcetera. You are correct though about my wording, I did say "reinstalling Defender" and I meant to say “update”. This is a part of why things can be re-enabled or overwritten.

10) I don't think Sordum's tool is needed for probably anything in Windows, most tools like this are just changing reg keys. It's cleaner and more transparent to just integrate those keys into an image, or run a reg file post-install, than to use a 3rd party tool post-install. I would be curious to know what they actually do, using a reg compare tool. In fact I think I'm going to download it now and see, because when I used Bitsum's tools I was disappointed since they weren't changing as much as they claim to be.
 

garlin

Moderator
Staff member
1) It seems to me, that this means NTLite will need an update for W10 and W11, because it's not as simple as turning on the group policy anymore, by itself, since both of these operating systems in the newer editions require layers of settings to disable Defender. Agreed?
I agree on W10 & 11 having more differences in regard to "hardening" -- preventing malware from disabling Defender at the services level.
The core Defender platform is the same for W8 onward, its just the kernel integration changes.

2) The other thing to consider, is that the poster wasn't actually uninstalling Defender, which at one point is what was being implied, "I use NTLite to remove Defender" and "I remove it through ntlite". Instead, they were just toggling the reg key setting in NTLite to disable it. So I'm curious if removing the component on W11 avoids the issues.
My experience is removing Defender solves many problems, but you would have to disable Updates.

I still fully standby my solution for my W10 edition until proven wrong (you don't need my entire reg file obviously, just the relevant ones based on the comments). Also it's possible these tutorials were just never the solution to begin with, which I think is really the case, as I'll expand on more in the items below.
Didn't have time to try W10. Started testing on W11, as the OP called out.

4) That one DisableAntiSpyware policy key doesn't fully turn off all of the Defender features, as there are other parts that continue to run which appear in Task Manager (antimalware / on W10 21H2 Home at least), and that's why I had to layer it, like you ended up doing too in W11.
DisableAntiSpyware key was introduced by W7's MSE. The point is "Defender" isn't a single product or service, it's actually a growing collection of cross-related apps.

Does Defender mean:
- real-time anti-virus protection
- Defender FW
- WDAG sandboxing for Edge

Therefore it takes more than one key, since Defender isn't a single app in its current form.

5) I would specifically test this on Home edition if possible, because I've come across too many policies in general, that no longer work on Home edition and/or W10 21H2 in my testing. This is a big part of why I always went with user-toggled keys rather than policies, but also because I didn't want to lock pages down if I could avoid doing so.
Home doesn't support GPO's. If you could copy local policy or regedits to bypass it, then Pro isn't a premium product.

6) I am curious about TamperProtection, because you have a value of 0, I have 4 when I toggle it off as a user in W10.
The consensus is TamperProtection must be 0 to allow config changes, otherwise the self-protection mechanism reverts changes. This is related to the Sense service which protects Defender from malware trying to turn off protections.

7) You toggled these services, but I don't see them in the W10 services panel, but they do appear in my regedit?
Extra Services, they're kernel filter drivers to enable snooping.

On that note, I'd suggest adding comments to all the keys so that people know what they are changing.
I think it's straightforward. This topic is well covered by how-to guides.

The only thing I'm trying is to verify what is the bare minimal of changes. Some folks disable all sorts of settings which have no importance, once their services have stopped running.

9) I think you are oversimplifying the internet fairy tale thing, if you have an active internet connection then updates are going to be installed when you install Windows. It seems like all of your testing here is on a live desktop, not taking into account Windows Setup, user provisioning, etcetera. You are correct though about my wording, I did say "reinstalling Defender" and I meant to say “update”. This is a part of why things can be re-enabled or overwritten.
The "disable network during Setup" had its origins in the early W10/11 days, before experienced users began researching the OS.

Yes, it works to bypass MS enrollment and avoid ZDP/Dynamic Update surprises. My point is there are now better methods to accomplish the same things w/o unplugging the cable. For example, the NCSI disable probing hack, BypassRNO, etc.

10) I don't think Sordum's tool is needed for probably anything in Windows, most tools like this are just changing reg keys. It's cleaner and more transparent to just integrate those keys into an image, or run a reg file post-install, than to use a 3rd party tool post-install. I would be curious to know what they actually do, using a reg compare tool. In fact I think I'm going to download it now and see, because when I used Bitsum's tools I was disappointed since they weren't changing as much as they claim to be.
Feel free to reconfirm, I ran RegistryChangeView on Sordum. It makes some extraneous tweaks like putting itself on the Defender exclusion list so Defender doesn't flag it (which it does). Also noticed a IFEO hack on MpCmdRun.exe.
 

Hellbovine

Active Member
Thanks for getting back to me Garlin, this is my last bit of soundboarding for you. I only wanted to make sure all the angles were covered, because there's a million solutions to disable Defender on the internet, and most of them just don't work anymore, as you experienced in your steps. So I'm only trying to help make sure this one is good on all aspects.

I think there's a few things we are out of sync on though, so I'd like to clarify those:

1) All I mean is, NTLite needs to remove or fix the "disable Defender" option because it no longer works, or it should be updated to include the other keys that are needed. Nuhi needs to be made aware of this, or more threads will keep popping up in the future.

2) Uninstalling defender is still a solution on the table. If it gets reinstalled then that's something NTLite should try to address.

3+4) Ten/Eleven Forum tutorials on Defender need updating, if anyone wants to direct Brink to this thread since those tutorials were brought up--it’s not really a solution if a key works temporarily and then gets ignored or reset right away. Doesn’t matter if Defender is multiple apps or not in this case. This goes back to #1 for NTLite too.

5) All I’m concerned about with GPO, is that Home edition is likely the most common one out there, and I don’t know if the policies you used get ignored or not, so it’s something that eventually needs testing to make a solution for everyone (and NTLite will need to be aware of this too). A lot of the most popular policies, such as for Windows Update, didn't work at all for me, but many other policies do work for Home edition.

6+7) I’ll look at this stuff in future tweaking I do. I only asked those questions just to learn.

8) Got skipped in your replies. Does it work on a clean install? That’s really the most important thing of all.

9) I’ll definitely look into this, thank you. I just find it easier for troubleshooting to have someone unplug, than to try and explain that they need to incorporate other bypasses, since it’s fewer steps this way and less prone to operator-error. Though, unplugging doesn’t help W11 since it’s now mandatory without bypasses (and probably in future W10 versions too), so I do understand where you are coming from.

10) Sorry, I missed the text at the top of your code which implied you had already deciphered the Sordum tool. My eyes were drawn to the code box instead, and I just assumed you came up with that stuff from other methods.
 

garlin

Moderator
Staff member
1) All I mean is, NTLite needs to remove or fix the "disable Defender" option because it no longer works, or it should be updated to include the other keys that are needed. Nuhi needs to be made aware of this, or more threads will keep popping up in the future.
The real problem is new users presume there's a master on/off switch that controls all "Defender features", instead of having individual function switches. This is the same problem that leads to "why doesn't disabling WU work?"

nuhi has explained to me, he doesn't consider NTLite as "tweaking for Dummies". The web is filled with specialized tweak tools for Defender, WU, Edge, etc. which NTLite cannot keep up. The best way is to provide him with definitive working examples, which he can independently confirm and adapt NTLite to match.

2) Uninstalling defender is still a solution on the table. If it gets reinstalled then that's something NTLite should try to address.
Like any updates, NTLite can remove them but only in licensed mode, There's no recourse for free edition since they can don't host refresh or removal reinstalls. Therefore, disabling is the only option for some users because they also want to keep Windows update.

3+4) Ten/Eleven Forum tutorials on Defender need updating, if anyone wants to direct Brink to this thread since those tutorials were brought up--it’s not really a solution if a key works temporarily and then gets ignored or reset right away. Doesn’t matter if Defender is multiple apps or not in this case. This goes back to #1 for NTLite too.
The problem (IMO) is that many solutions worked at one time or another. People aren't necessarily wrong, but MS has changed the code over time, and many threads never got revisited. Re-testing is a time consuming process, unless someone volunteers to build a test matrix for every milestone release (RTM + fully updated).

5) All I’m concerned about with GPO, is that Home edition is likely the most common one out there, and I don’t know if the policies you used get ignored or not, so it’s something that eventually needs testing to make a solution for everyone (and NTLite will need to be aware of this too). A lot of the most popular policies, such as for Windows Update, didn't work at all for me, but many other policies do work for Home edition.
I suppose NTLite could gray out non-working combinations. But again, help nuhi by providing test result. Given his priorities, would you rather he spend more time tweaking Settings to making them dummy proof, or working on other imaging features?

Not to sound harsh, but if someone acquired NTLite primarily for "tweaks" then they don't appreciate the program for its real function.

8) Got skipped in your replies. Does it work on a clean install? That’s really the most important thing of all.
Clean install (RTM + no updates). I didn't update beforehand to see what happens after WU runs, since many think it causes Defender to re-enable itself.

9) I’ll definitely look into this, thank you. I just find it easier for troubleshooting to have someone unplug, than to try and explain that they need to incorporate other bypasses, since it’s fewer steps this way and less prone to operator-error. Though, unplugging doesn’t help W11 since it’s now mandatory without bypasses (and probably in future W10 versions too), so I do understand where you are coming from.
BypassRNO has been in W11 for some time now. There's no reason for the obvious loophole, other than MS offering an official "out" for making MS accounts mandatory.

10) Sorry, I missed the text at the top of your code which implied you had already deciphered the Sordum tool. My eyes were drawn to the code box instead, and I just assumed you came up with that stuff from other methods.
I started with the two Elevenforum articles, since they're the oldest workarounds; then added disabling services. What Defender Control provided was the confirmation I needed two more Disable* keys.
 

garlin

Moderator
Staff member
After testing, I confirmed the reg changes work on:
- W10 20H2 Home & Pro​
- W10 21H2 Home & Pro​
- W11 Home & Pro​

For the next release, NTLite needs to add the Windows Defender settings:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableRealtimeMonitoring"
"DisableAntiVirus"
 
Top