Manage and Disable Windows Defender Using PowerShell

Windows Defender Antivirus is the built-in antimalware program in Windows. Windows Defender is installed by default on all Windows operating systems to protect from viruses, worms, Trojans, and other types of malicious software. Windows Defender is productive enough and has low system requirements. It can be updated online from the Microsoft website or an internal WSUS server. This allows you to use it not only on home computers but also on SMB and enterprise networks. In this article, we will take a closer look at how to manage different settings and enable/disable Windows Defender using PowerShell.

Managing Windows Defender Using PowerShell

The main advantage of the Defender is that it is easy to use, it’s already pre-installed in Windows 10 and 11, enabled by default, and practically doesn’t need manual configuration.

disable windows defender powershell

In Windows 11, all Windows Defender features are available in the modern Settings panel through the Windows Security app (you can open it via Settings > Update & Security > Windows Security or by using the quick access UTI command ms-settings:windowsdefender).

enable windows defender powershell

To manage Windows Defender from the Windows Security GUI, you must have the Microsoft.SecHealthU UWP app installed on your computer. Check UWP application status using PowerShell:

Get-AppxPackage Microsoft.SecHealthUI -AllUsers|select Name, Status

powershell disable windows defender

Tip. At the moment, Windows Defender is a part of the only desktop Windows OS and not available in the current versions of Windows Server. Although, in the latest Windows Server 2016/2019, Windows Defender can be installed as an additional server feature using the command:

Install-WindowsFeature-Name Windows-Server-Antimalware

In most cases, Windows Defender works well with the default settings, but sometimes the user needs to change its behavior. A large number of settings available from the PowerShell console: through a built-in module Defender. It appeared first time in PowerShell 4.0 and was designed specifically for Windows Defender management. This module contains 11 cmdlets, which we are reviewing today.

To display a list of cmdlets contained in the Defender module, run the following command:

Get-Command -Module Defender

uninstall windows defender windows 10 powershell

  • Add-MpPreference — used to change Windows Defender settings;
  • Get-MpComputerStatus — allows you to get the status of anti-virus software on your computer;
  • Get-MpPreference — used to get Windows Defender scan and update options;
  • Get-MpThreat — view the history of detected threats on your computer;
  • Get-MpThreatCatalog — allows you to get known threats from the definitions directory;
  • Get-MpThreatDetection — displays a list of active and recent threats detected on the computer;
  • Remove-MpPreference — allows you to remove Windows Defender settings or exceptions;
  • Remove-MpThreat — allows you to remove active threats from your computer;
  • Set-MpPreference — used to change scan and update options;
  • Start-MpScan — runs a computer scan;
  • Update-MpSignature — anti-virus definition database update;
  • Start-MpWDOScan — runs a Windows Defender offline scan;

To get full help on a specific cmdlet of the Defender module, use the Get-Help command:

Get-Help Start-MpScan –Full

If you need only examples of PowerShell commands, run:

Get-Help Add-MpPreference -Examples

How to Check if Windows Defender is Running?

Before using PowerShell cmdlets to control Windows Defender, it is advisable to check if the service is running. You can use the following PowerShell command to check the service state of Microsoft Defender Antivirus Service (WinDefend), Windows Security Service (SecurityHealthService), and Security Center (wscsvc):

Get-Service Windefend, SecurityHealthService, wscsvc| Select Name,DisplayName, Status

disable defender powershell

Get-MpComputerStatus allows you to display the current status of Windows Defender: enabled options, virus definition date and version, last scan time, and others.

powershell disable defender

AMEngineVersion : 1.1.19000.8

AMProductVersion : 4.18.2202.4

AMRunningMode : Normal

AMServiceEnabled : True

AMServiceVersion : 4.18.2202.4

AntispywareEnabled : True

AntispywareSignatureAge : 0

AntispywareSignatureLastUpdated : 3/24/2022 10:07:00 PM

AntispywareSignatureVersion : 1.361.711.0

AntivirusEnabled : True

AntivirusSignatureAge : 0

AntivirusSignatureLastUpdated : 3/24/2022 10:07:00 PM

AntivirusSignatureVersion : 1.361.711.0

BehaviorMonitorEnabled : True

ComputerID : 3DA6BCF53-D12A-2A2E-BA21-FE9C54C1092D

ComputerState : 0

DefenderSignaturesOutOfDate : False

DeviceControlDefaultEnforcement : Unknown

DeviceControlPoliciesLastUpdated : 3/22/2022 7:26:44 AM

DeviceControlState : Disabled

FullScanAge : 4294967295

FullScanEndTime :

FullScanOverdue : False

FullScanRequired : False

FullScanSignatureVersion :

FullScanStartTime :

IoavProtectionEnabled : True

IsTamperProtected : True

IsVirtualMachine : False

LastFullScanSource : 0

LastQuickScanSource : 2

NISEnabled : True

NISEngineVersion : 1.1.19000.8

NISSignatureAge : 0

NISSignatureLastUpdated : 3/24/2022 10:07:00 PM

NISSignatureVersion : 1.361.711.0

OnAccessProtectionEnabled : True

ProductStatus : 524288

QuickScanAge : 2

QuickScanEndTime : 3/22/2022 7:28:21 AM

QuickScanOverdue : False

QuickScanSignatureVersion : 1.361.478.0

QuickScanStartTime : 3/22/2022 7:26:43 AM

RealTimeProtectionEnabled : True

RealTimeScanDirection : 0

RebootRequired : False

TamperProtectionSource : Signatures

TDTMode : N/A

TDTStatus : N/A

TDTTelemetry : N/A

PSComputerName :

To quickly check if Windows Defender is running on your computer and find out the last antivirus definition update date, run the following PowerShell command:

Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated

powershell enable windows defender

To display current Windows Defender settings, you can use cmdlet Get-MpPreference. To change the settings, use the Set-MpPreference.

In the Windows Defender settings, the IPS, removable disk check, email, and some other checks are disabled by default. For example, you need to enable the scanning of removable drives. Let’s get the current settings using the command:

Get-MpPreference | fl disable*

In Windows 11 the following Windows Defender features are disabled by default:

  • DisableCatchupFullScan.
  • DisableCatchupQuickScan.
  • DisableCpuThrottleOnIdleScans.
  • DisableEmailScanning.
  • DisableRemovableDriveScanning.
  • DisableRestorePoint.
  • DisableScanningMappedNetworkDrivesForFullScan.
  • EnableFileHashComputation.
  • EnableFullScanOnBatteryPower.
  • EnableLowCpuPriority.

As you can see, scanning of removable drives is disabled (DisableRemovableDriveScanning = True). Turn it on using the following command:

Set-MpPreference -DisableRemovableDriveScanning $false

remove windows defender windows 10 powershell

Also, you can disable some types of Windows Defender scanning. By defaults, Windows Defender scans the archive files (RAR, ZIP, CAB), which can potentially contain malicious files. You can disable archive files scanning using the command:

Set-MpPreference -DisableArchiveScanning $True

powershell disable antivirus .

Make sure the new setting is applied:

Get-MpPreference|select DisableArchiveScanning

check if windows defender is running powershell

After that, the Windows Defender will stop scanning all opened archive files in real-time.

Also, to change or remove the antivirus exclusion settings, you can use the Add-MpPreference and Remove-MpPreference cmdlets. For example, let’s add some folder paths to the antivirus exclusions:

Add-MpPreference -ExclusionPath C:\Video, C:\install

Display a list of path exceptions for Windows Defender:

Get-MpPreference | fl excl*

To exclude anti-virus scanning of certain processes, run the following command:

Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"

To remove an exception for a specific folder:

Remove-MpPreference -ExclusionPath C:\install

turn on windows defender powershell

Windows Defender has a hidden function to protect against unwanted programs (Potentially Unwanted Program — PUP, Potentially Unwanted Application — PUA). By default, it is accessible only in Windows 10/11 Enterprise edition, but with the help of the following command you can enable PUP/PUA protection in any Windows 10 edition:

Set-MpPreference -PUAProtection 1

After you turn on protection, when you try to launch or install potentially unwanted programs on your computer, you will receive the following notification from Defender in Windows 10.

Windows Defender took action

Your settings caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device.

disable windows defender windows 10 powershell

Use PowerShell to Update Windows Defender Signatures

To start the antivirus signature update, you can use the command Update-MpSignature. By default, the Windows Defender receives updates from online Microsoft Update Servers. You can use the UpdateSource argument to specify where you want to receive the virus definition updates from.

The following virus definition sources are available:

  • MicrosoftUpdateServer;
  • MMPC Microsoft Malware Protection Center;
  • FileShares;
  • InternalDefinitionUpdateServer — internal WSUS server.

To update antivirus from a network shared folder on a Windows file server you need to download the necessary definition update files and place them into a shared network folder. Then you have to specify that Windows Defender should be updated from a file share source (use UNC path):

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\DESKTOP-V20E3PO\Updates

To run virus update and malware definitions manually:

Update-MpSignature -UpdateSource FileShares

Update-MpSignature

powershell turn off windows defender

In some cases, after receiving an incorrect update, Windows Defender may not work correctly. In this case, it is recommended to reset the current thread definition databases and reload them from source:

"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -RemoveDefinitions -All

"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" –SignatureUpdate

How to Perform Virus Scan with Microsoft Defender?

To perform an antivirus scanning of your computer, use the Start-MpScan cmdlet. With the ScanType argument, you can choose one of three scan modes:

  • FullScan — scan is performed for all files on your computer, as well as the system registry and currently running apps;
  • QuickScan — analysis of only those areas that are most likely may be infected by malware (registry, active RAM, system folders);
  • CustomScan — user selects the folders and drives to scan.

For example, run a custom scan to check the system folder “C:\Program Files”:

Start-MpScan -ScanType CustomScan -ScanPath ”C:\Program Files”

remove windows defender powershell windows 10

You can perform a full computer scan by Windows Defender using the command:

Start-MpScan -ScanType FullScan

Or quick threats scan:

Start-MpScan -ScanType QuickScan

To remove all active threat on your computer, use the command:

Remove-MpThreat

All Defender module cmdlets can be performed both for the local and remote computers. To connect to a remote computer, you need to use the CimSession option. For example, to get the date of the last scan from the remote computer with hostname lnd_wks21, run the following commands (WinRM must be enabled):

$session = NewCimSession -ComputerName lnd_wks21

Get-MpComputerStatus -CimSession $session | fl fullscan*

You can use the Start-MpWDOScan cmdlet to perform an offline scan with Windows Defender.

After executing this command, your operating system will automatically reboot. Windows Defender will start in a special boot environment and scan your device for threats before your Windows boots.

install windows defender powershell

How to Disable and Remove Windows Defender using PowerShell?

If you want to disable Defender real-time protection:

Set-MpPreference -DisableRealtimeMonitoring $true

To completely disable Windows Defender on a computer, use the command:

New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender” -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

windows defender disable powershell

On Windows client-based operating system (like Windows 10/Windows 8.1) you cannot completely uninstall the Windows Defender feature. The only available option is to disable it using the registry key DisableAntiSpyware = 1 or using the Local Group Policy Editor.

  1. Run the gpedit.msc console;
  2. Go to the following GPO section: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus;
  3. Find the parameter named Turn off Windows Defender Antivirus on the right pane;
  4. Change its value to Enabled;
    disable windows defender using powershell
  5. In the same way disable the following Group Policy setting in the Real-time Protection section: Turn off real time protection = Disabled;
  6. To apply new settings, update local Group Policy settings on a computer using the command:
    gpupdate /force

In Windows 11, before disabling Windows Defender through the registry or a GPO, you must manually disable the Tamper Protection feature. Tamper Protection prevents changes to Windows Defender security features via PowerShell, registry settings, and/or Group Policy options. Tamper Protection is enabled in Windows 11 by default. You can check this option state using PowerShell:

Get-MpComputerStatus | select IsTamperProtected

You can only disable it using the Windows Security app. Go to “Virus & Threat Protection” > click “Manage Settings” > scroll down to “Tamper Protection” and move the slider to the “Off” position.

powershell command to disable windows defender

Confirm this action at the UAC prompt. Note that the following message has appeared:

Tamper protection is off. Your device may be vulnerable.

disable antivirus powershell

You can uninstall Windows Defender on Windows Server 2016\2019 using PowerShell. Just run the following command in the elevated PowerShell session:

Uninstall-WindowsFeature -Name Windows-Defender –whatif

Or use the DISM tool:

Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet

How to Reset Windows Defender to Default?

You can reset all Windows Defender settings using the Windows Security App.

  1. Press the Start button and type: Windows Security;
  2. Select the App settings;
    restart windows defender service powershell
  3. Scroll down to the Reset button and click on it;
  4. The following warning will appear: “This will permanently delete the app’s data on this device, including your preferences and sign-in details”. Confirm it by pressing the Reset button.

enable defender powershell

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

4 comments

  1. The powershell command below produces an error that “New-ItemProperty : Cannot find path ‘HKLM:\SOFTWAREPoliciesMicrosoftWindows Defender’ because it does not exist.”

    New-ItemProperty -Path “HKLM:SOFTWAREPoliciesMicrosoftWindows Defender” -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

  2. Thanks for the info! But some questions.

    I had SentinelOne on a win 10 pro PC. I did an uninstall of sentinelone. From what I was told, S1 on install disables windows defender. And after uninstall, it doesn’t turn it back on?

    So after the S1 uninstall, In services, I have a windows defender advanced threat protection. It is set to manual and is NOT running

    I have a windows defender firewall also listed. That’s atuomatic and running.

    I don’t have a ‘windows defender’

    When I ran your script

    Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated

    I get

    Antivirusenabled : True
    AMServiceEnabled : True
    AntispywareEnabled : True
    BehaviorMonitorEnabled : True
    IoavProtectionEnabled : True
    NISEnabled : True
    OnAccessProtectionEnabled : True
    RealTimeProtectionEnabled : True

    AntivirusSignatureLastUpdated : 12/30/2020 5:23:43 AM

    But in services, again, that Defender ATP service is manual / not running.

    Are there 2 Windows defenders these days? (I am not paying extra for windows defender ATP).

    What’s the right way to change the correct windows defender to automatic start and start it?

    HAPPY NEW YEAR!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.