Disable Windows Defender in Windows 11

[Hellbovine]

...can you Disable (or uninstall) security center altogether but leave firewall?...has it become integrated with security center and defender?...is "Microsoft Defender Firewall" the new name for old windows firewall?

Uninstalling a component removes its files from the image, which has the possibility of causing problems. NTLite removes Security Center along with Defender, and Nuhi may be able to split this out, since I think it was determined to be possible. I am not as versed in that aspect though, because I don't uninstall it from my image at this time. I doubt the firewall is harmed from this removal, but the only way to know for sure is to test it.

Disabling things is usually done by turning off services, registry keys, or scheduled tasks. The way that I disable Defender, and have zero issues, is contained within the security registry file of this guide (link). It has proven to work on every build I've tried so far, but I have no interest in testing W11, because I dislike that operating system and I have too much stuff on my to-do list. Properly disabling Defender will not harm the firewall.

People like Garlin and myself aren't computer geniuses, the thing that separates guys like us from the masses is that we are expert Googlers and troubleshooters, because we are driven to find solutions through research and testing things, while focusing on proper methods over a hacky approach--which is when a user disables something by breaking code or using excessive tweaks. My point is that people can test questions like this to find answers too, since that's what helpers are doing, so give it a whirl and let us know the results of your adventure.

 

[AsadAlrafidain]

Uninstalling a component removes its files from the image, which has the possibility of causing problems. NTLite removes Security Center along with Defender, and Nuhi may be able to split this out, since I think it was determined to be possible. I am not as versed in that aspect though, because I don't uninstall it from my image at this time. I doubt the firewall is harmed from this removal, but the only way to know for sure is to test it.

Disabling things is usually done by turning off services, registry keys, or scheduled tasks. The way that I disable Defender, and have zero issues, is contained within the security registry file of this guide (link). It has proven to work on every build I've tried so far, but I have no interest in testing W11, because I dislike that operating system and I have too much stuff on my to-do list. Properly disabling Defender will not harm the firewall.

People like Garlin and myself aren't computer geniuses, the thing that separates guys like us from the masses is that we are expert Googlers and troubleshooters, because we are driven to find solutions through research and testing things, while focusing on proper methods over a hacky approach--which is when a user disables something by breaking code or using excessive tweaks. My point is that people can test questions like this to find answers too, since that's what helpers are doing, so give it a whirl and let us know the results of your adventure.

Thanks for the reply...I tried your security REG tweaks but noticed that firewall is disabled...I don't like security center and defender, but for me the firewall is a must...I'll try to delete all the parts that contain "firewall" in them and see if it gives a satisfactory result.

BTW, I'm trying this on Windows 11

 

[Hellbovine]

You don't have to use the whole file as-is, simply delete the tweaks from the registry file that you don't want and Windows will fallback to its normal defaults for the settings that were removed, then Integrate the modified file into a new image and test it. Keep in mind that some of these may require updating for newer builds or W11, and a registry comparison tool is what I would use to get started on figuring that out.

 

[garlin]

People like Garlin and myself aren't computer geniuses.

My ego:

 

[Hellbovine]

I bought a new scouter and this one says:

Oh crap, I'm realizing that I probably just summoned all the Discord bros to the forum.

 

[dedolo]

I use these reg batch found on github (I don't know if I can post the link), the author also made an exe, even after the updates it doesn't appear. transform it into a bat with "reg2exe converter" and place it in post setup, so as to avoid breaking the image. I recommend updating with WuMgr_v1.1b so you can choose which ones to do.

 

[garlin]

I use these reg batch found on github (I don't know if I can post the link)

It's preferred that you post a GitHub link whenever possible, so readers can download files directly from the source and know its dev(s).

 

[dedolo]

Lo faccio subito, ecco il link: https://github.com/ionuttbara/windows-defender-remover

 

[Clang2]

garlin still got that old defender killer of mine and your fixed version of it if needed.

 

[garlin]

Lo faccio subito, ecco il link: https://github.com/ionuttbara/windows-defender-removerI

I've been recently working with this tool for a non-NTLite project.

On the whole, it's not bad but there's some annoying flaws:
1. DefenderRemover.exe is a self-extracting app that uses a hacked version of PowerRun to run several commands.

He doesn't use the official PowerRun file, because of "optimizations". If you're including another dev's TrustedInstaller tool, provide the original version of that tool. Especially as the script cannot do its work without PowerRun or another TI rights tool.

2. DefenderRemover.exe is broken, because it only allows one command-line argument: Y (disable Defender and other Windows security measures). While his batch script's menu supports three options, the other two options are ignored when passed as arguments.

You can't run "DefenderRemover.exe A" or "S".

4. While he groups the different reg settings into separate files (good), his script performs a for-loop to install them (bad). What happens is the script rapidly opens too many flashing windows, one for each reg file. The source files could be merged in his EXE version.

3. The dev throws in some totally unrelated reg entries and removals which have NOTHING to do with Defender or platform security. They're just random personal tweaks, and should be excluded.

My overall assessment is while DefenderRemover mostly works, there's room for fixes. From the dev's comments, he's in school and has less time to work on his projects. If you want to continue using the self-extracting EXE, it's possible to use 7-Zip and replace individual files.

There's many Defender tools or scripts on GitHub, but some of their methods and code quality aren't at the same level. Unfortunately, it's too much work checking them out to find a better solution. I rank this one better than average.

 

[Clang2]

This disables certain services (Sense, WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend) during Windows Setup and thus prevents the MsMpEng.exe process from running

 

[sheikh]

When Tamper Protection is enabled, all the other Defender settings can't be touched

Sorry for answering an old post.
You can do everything in safe mode. just run it on safe mode. you can also access defender folders on C drive in safe mode.
Maybe selecting "Audit mode" instaed of OOBE can solve this problem. you can do post-setups there. (not tested)

 

[sheikh]

I ran RegistryChangesView, and ended up with this final reg file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001

; Microsoft Defender Antivirus Mini-Filter Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004

 Microsoft Defender Antivirus Network Inspection System Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

; Microsoft Defender Antivirus Network Inspection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

; Microsoft Defender Antivirus Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

SUCCESS!! This tweak works even after several reboots. When you bring up the Windows Security control panel, it may take a minute before "Getting protection info..." times out and reports "No active antivirus provider".

Integrate this reg file into the image.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"PUAProtection"=dword:00000000

should I add this after "DisableAntiVirus"=dword:00000001 ?

 

[sheikh]

I ran RegistryChangesView, and ended up with this final reg file:

SUCCESS!! This tweak works even after several reboots. When you bring up the Windows Security control panel, it may take a minute before "Getting protection info..." times out and reports "No active antivirus provider".

Integrate this reg file into the image.

Here is an update. what's your opinion? (not tested yet)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001
"AllowFastServiceStartup"=dword:00000000
"DisableSpecialRunningModes"=dword:00000001
"ServiceKeepAlive"=dword:00000000

; System Guard Runtime Monitor Broker (when disabled, it might cause BSOD Critical Process Died)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmBroker]
"Start"=dword:00000004

; Windows Defender Security Center
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
"Start"=dword:00000004

; Antivirus Notifications
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications]
"DisableNotifications"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]
"DisableEnhancedNotifications"=dword:00000001

; Security and Maitenance Notification
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance]
"Enabled"=dword:00000000

; Microsoft Defender Antivirus Mini-Filter Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004

; Microsoft Defender Antivirus Network Inspection System Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

; Microsoft Defender Antivirus Network Inspection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

; Microsoft Defender Antivirus Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MDCoreSvc]
"Start"=dword:00000004

; Real-time protection
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"MpEnablePus"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableRoutinelyTakingAction"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
"DisableEnhancedNotifications"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet]
"DisableBlockAtFirstSeen"=dword:00000001
"SpynetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000002

; Logging
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger]
"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger]
"Start"=dword:00000000

; Smart Screen
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Edge\SmartScreenEnabled]
@=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled]
@=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost]
"EnableWebContentEvaluation"=dword:00000000

; Smart App Control blocking legitimate apps
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"VerifiedAndReputablePolicyState"=dword:00000000

 

[garlin]

This is the part I always ask modders: Why do you need the other settings?

If you don't allow Defender services to run, then all other Defender settings are moot. It comes back to a fundamental understanding of how Defender actually works. Without the services, nothing happens (except for WU trying to perform its normal task of keeping Defender updated).

There is no benefit by tweaking extra Defender settings when it's not running.