Discussion on Removing Defender

devilink

Member
Since removing Defender with Ntlite will damage Security Center, I've been cleaning with dism.

Currently I have been using the removal:

Code:
Microsoft-Windows-HVSI-Package
Microsoft-Windows-HVSI-WOW64-Package
Windows-Defender-Client-Package
Windows-Defender-Group-Policy-Package
Windows-Defender-ApplicationGuard-Inbox-Package
Windows-Defender-ApplicationGuard-Inbox-WOW64-Package
Microsoft-Windows-SenseClient-Package

I want to align to make changes, the current confirmed unchanged is:

Code:
Windows-Defender-Client-Package
Windows-Defender-Group-Policy-Package
Windows-Defender-ApplicationGuard-Inbox-Package
Windows-Defender-ApplicationGuard-Inbox-WOW64-Package
Microsoft-Windows-SenseClient-Package

Not so sure about:

Code:
Microsoft-Windows-HVSI-Package
Microsoft-Windows-HVSI-WOW64-Package

Since the “Microsoft-Windows-HVSI-Package” contains too many other parts, will removing this break the other parts?

I specially made a few pictures and displayed them intuitively.

The right side of the Features in the picture is always contained by the left side.

I wonder if there is a better way to remove Defender.
 

Attachments

  • 1.png
    1.png
    33.8 KB
  • 2.png
    2.png
    34.9 KB
  • 3.png
    3.png
    61.2 KB
  • 4.png
    4.png
    6.4 KB
  • 5.png
    5.png
    9.6 KB
  • 6.png
    6.png
    28.9 KB
NTLite has no problem removing Defender features: SecHealthUI, Sense, WDAG, and HVSI.

But why do you expect Security Center to work afterwards? What remaining roles does the app do, other than manage biometric security (Hello Face, fingerprint reader) and Family Options?

This is the same question, when users ask why does System Settings crash if you remove features. Both dashboards were never designed to run with missing components. Most users will remove Security Center when removing Defender features.

And removals will force you to run remove reinstalls after every CU.
 
Little point in removing, as it will just be put back at next update. Just disable, and it will remain disabled after update, until MS decide to stop us from doing that also.


Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

;Microsoft Defender Antivirus Network Inspection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

;Windows Defender Antivirus Network Inspection System Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004

;Windows Defender Advanced Threat Protection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]
"Start"=dword:00000004
 
Little point in removing, as it will just be put back at next update. Just disable, and it will remain disabled after update, until MS decide to stop us from doing that also.


Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
"TamperProtection"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
"DisableRealtimeMonitoring"=dword:00000001
"DisableAntiVirus"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

;Microsoft Defender Antivirus Network Inspection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

;Windows Defender Antivirus Network Inspection System Driver
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004

;Windows Defender Advanced Threat Protection Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]
"Start"=dword:00000004

I still prefer to disable Defender and Firewall in autounattend.xml.

Code:
    <settings pass="specialize">
        <component name="Networking-MPSSVC-Svc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <DomainProfile_EnableFirewall>false</DomainProfile_EnableFirewall>
            <PrivateProfile_EnableFirewall>false</PrivateProfile_EnableFirewall>
            <PublicProfile_EnableFirewall>false</PublicProfile_EnableFirewall>
        </component>
        <component name="Security-Malware-Windows-Defender" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <DisableAntiSpyware>true</DisableAntiSpyware>
        </component>
    </settings>
 
Each section of Security Center can be hidden from the user.
https://learn.microsoft.com/en-us/w...urity-center/windows-defender-security-center
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options]
"UILockdown"=dword:00000001

But MS warns if you hide all sections, you get this expected error from Security Center:
wdsc-all-hide.png

Which is not better than removing Security Center any way.
 
Each section of Security Center can be hidden from the user.
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health]
"UILockdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options]
"UILockdown"=dword:00000001

But MS warns if you hide all sections, you get this normal error from Security Center:
View attachment 8144

Which is not better than removing Security Center any way.

Do you mean disable Defender via autounattend.xml or dism remove Defender?
 
This registry (or the GPO version) only hides the UI sections. -- It has no effect on Defender.
My point is even if you hide all the sections, there's no point keeping Security Center since it gives you an ugly message window by design.
 
All Security Center does is nag an experienced user. Remove Defender, if you cannot, disable the services, that shuts it up on 1809. Go advanced if you want to but be prepared for stuff to break.
 
Last edited:
Back
Top