How to Disable, Enable, and Manage Microsoft Defender Using PowerShell?

929

Microsoft Defender Antivirus is the built-in antimalware program in Windows. Microsoft Defender (previously called Windows Defender) is installed by default on all Windows operating systems to protect against viruses, worms, Trojans, and other types of malicious software. Microsoft Defender is productive enough and has low system requirements. It can be updated online from the Microsoft website or an internal WSUS server. You can use Windows Defender not only on home computers but also on SMB and enterprise networks. In this article, we will take a closer look at how to enable/disable Microsoft Defender and manage different settings using PowerShell.

Managing Microsoft Defender Using PowerShell

The main advantage of the Defender is that it is easy to use, it’s already pre-installed in Windows 10 and 11, enabled by default, and it requires virtually no manual configuration.

On current builds of Windows 10 and 11, you should use the Windows Security app in the modern Settings panel to manage Microsoft Defender (you can open it via Settings > Update & Security > Windows Security or by using the quick access URI command ms-settings:windowsdefender).

Note. If the Windows Security app is missing, check if the Microsoft.SecHealthU UWP app is installed on your computer:

Get-AppxPackage Microsoft.SecHealthUI -AllUsers|select Name, Status

Tip. Microsoft Defender is currently part of the only Windows desktop operating system and is not available in current versions of Windows Server. However, in the latest Windows Server 2016/2019/2022, Windows Defender can be installed as an additional server feature using the command.

Install-WindowsFeature-Name Windows-Server-Antimalware

In most cases, Microsoft Defender works well with the default settings, but sometimes the user needs to change its behavior.

You can use the built-in Defender module to manage Microsoft Defender settings through PowerShell. This module contains 11 cmdlets. To view a list of the cmdlets that are included in the Defender module, use the command:

Get-Command -Module Defender

• Add-MpPreference — used to change Microsoft Defender settings;
• Get-MpComputerStatus — allows you to get the status of anti-virus software on your computer;
• Get-MpPreference — used to get Microsoft Defender scan and update options;
• Get-MpThreat — view the history of detected threats on your computer;
• Get-MpThreatCatalog — allows you to get known threats from the definitions directory;
• Get-MpThreatDetection — displays a list of active and recent threats detected on the computer;
• Remove-MpPreference — allows you to remove Microsoft Defender settings or exceptions;
• Remove-MpThreat — allows you to remove active threats from your computer;
• Set-MpPreference — used to change scan and update options;
• Start-MpScan — runs a computer scan;
• Update-MpSignature — anti-virus definition database update;
• Start-MpWDOScan — runs a Microsoft Defender offline scan;

To get full help on a specific cmdlet of the Defender module, use the Get-Help command:

Get-Help Start-MpScan –Full

If you need only examples of PowerShell commands, run:

Get-Help Add-MpPreference -Examples

How to Check if Microsoft Defender is Running?

Before using PowerShell cmdlets to control Microsoft Defender, it is a good idea to check that the service is running. You can use PowerShell to check the service status of Microsoft Defender Antivirus Service (WinDefend), Windows Security Service (SecurityHealthService), and Security Center (wscsvc):

Get-Service Windefend, SecurityHealthService, wscsvc| Select Name,DisplayName, Status

Get-MpComputerStatus allows you to display the current status of Microsoft Defender: enabled options, virus definition date and version, last scan time, and others.

To quickly check if the Windows Defender is running on your computer and find out the date of the last antivirus definition update, run the following PowerShell command:

Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,IsTamperProtected,AntivirusSignatureLastUpdated

Antivirusenabled : True 
AMServiceEnabled : True 
AntispywareEnabled : True 
BehaviorMonitorEnabled : True 
IoavProtectionEnabled : True 
NISEnabled : True 
OnAccessProtectionEnabled : True 
RealTimeProtectionEnabled : True 
IsTamperProtected : True 
AntivirusSignatureLastUpdated : 4/20/2023 4:32:02 AM

Note. Microsoft Defender is automatically disabled if a third-party certified anti-virus program is installed on your computer.

How to Disable or Enable Windows Defender Protection using PowerShell?

Sometimes you may need to temporarily pause Microsoft Defender protection. In most cases, it is sufficient to disable the Real-Time Protection module.

How to Suspend the Microsoft Defender Antivirus Protection?

You can disable Microsoft Defender real-time protection using the following PowerShell command:

Set-MpPreference -DisableRealtimeMonitoring $true

Disable cloud-based protection:

Set-MpPreference -MAPSReporting 0​

This suspends anti-virus protection in Windows for a while (until the next restart).

How to Disable Defender Tamper Protection?

However, this command will not work on modern builds of Windows 10 or 11 (22H2, 22H2, 21H2). Modern Microsoft Defender has a new security feature that blocks changes to Windows Defender security features through PowerShell, registry settings, and/or Group Policy options.

Tamper Protection is enabled in Windows 11 and 10 by default. You can check this option state using PowerShell:

Get-MpComputerStatus | select IsTamperProtected

You can only disable the tamper protection from the Windows Security GUI app. Go to “Virus & Threat Protection” > click “Manage Settings” > scroll down to “Tamper Protection” and move the slider to the “Off” position.

Confirm this action at the UAC prompt. Note that the following message has appeared:

Tamper protection is off. Your device may be vulnerable.

Now you can disable Microsoft Defender real-time protection with PowerShell:

Set-MpPreference -DisableRealtimeMonitoring $true

To restore real-time protection, run:

Set-MpPreference -DisableRealtimeMonitoring $false

Turn on cloud-delivered protection:

Set-MpPreference -MAPSReporting 2​

If you want to completely disable Tamper Protection in Microsoft Defender, you need to change the following items under the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\Features:

• TamperProtection = 4
• TamperProtectionSource = 2
• SenseDevMode = 0

You will need to make these changes with the NT Service\TrustedInstaller permissions.

Hint. You can use the following third-party tools to run under the TrustedInstaller account: Advanced Run by NirSoft or ExecTI.

Uninstall Windows Defender on Windows Server 2022/2019 using PowerShell

You can uninstall Windows Defender on Windows Server 2016\2019\2022 using PowerShell. First, stop the real-time protection and run the following command in the elevated PowerShell session:

Uninstall-WindowsFeature -Name Windows-Defender

Or use the DISM tool:

Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet

Permanently Turn Off Microsoft Defender on Windows 11 or 10

You cannot completely uninstall the Microsoft Defender feature from your computer running desktop Windows edition. However, you can try to completely disable Windows Defender on a computer by using the DisableAntiSpyware = 1 registry key or by using the Local Group Policy Editor.

New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender” -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

Or:

1. Run the gpedit.msc console;
2. Go to the following GPO section: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus;
3. Find the parameter named Turn off Windows Defender Antivirus on the right pane;
4. Change its value to Enabled;
   
5. In the same way disable the following Group Policy setting in the Real-time Protection section: Turn off real time protection = Disabled;
6. To apply new settings, update local Group Policy settings on a computer using the gpupdate command:

   gpupdate /force

   However, this won’t work in modern Windows 10 and 11 builds. The only way to completely disable Microsoft Defender is to restart your computer in Safe Mode and prevent the Defender services from starting.

7. To restart your computer in safe mode, run the following commands:

   bcdedit /set {current} safeboot minimal

   reboot /r

8. Once you have booted into safe mode, open the registry editor (regedit.exe);
9. Then open the following registry keys one after the other and change the value of the Start registry entry to 4 in each row:

Registry key	Parameter	Default Value	New value (disable defender)
HKLM\SYSTEM\CurrentControlSet\Services\Sense\	Start	3	4
HKLM\SYSTEM\CurrentControlSet\Services\WdBoot\	Start	0	4
HKLM\SYSTEM\CurrentControlSet\Services\WdFilter\	Start	0	4
HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv\	Start	3	4
HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc\	Start	3	4
HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\	Start	2	4

To cancel booting into the safe mode, run the following command:

bcdedit /deletevalue {current} safeboot

Then restart Windows. Sign into Windows with your account and check that Microsoft Defender is now disabled.

Change Microsoft Defender Setting with PowerShell

You can use PowerShell to change Microsoft Defender antivirus settings. To display current Windows Defender settings, you can use the cmdlet Get-MpPreference. To change the settings, use the Set-MpPreference.

In the Windows Defender settings, the IPS, removable disk check, email, and some other checks are disabled by default. For example, you need to enable the scanning of removable drives. Let’s get the current settings using the command:

Get-MpPreference | fl disable*

In Windows 11 the following Windows Defender features are disabled by default:

• DisableCatchupFullScan.
• DisableCatchupQuickScan.
• DisableCpuThrottleOnIdleScans.
• DisableEmailScanning.
• DisableRemovableDriveScanning.
• DisableRestorePoint.
• DisableScanningMappedNetworkDrivesForFullScan.
• EnableFileHashComputation.
• EnableFullScanOnBatteryPower.
• EnableLowCpuPriority.

As you can see, the scanning of removable drives is disabled (DisableRemovableDriveScanning = True). Turn it on using the following command:

Set-MpPreference -DisableRemovableDriveScanning $false

Also, you can disable some types of Windows Defender scanning. By default, Windows Defender scans the archive files (RAR, ZIP, CAB), which can potentially contain malicious files. You can disable archive files scanning using the command:

Set-MpPreference -DisableArchiveScanning $True

Make sure the new setting is applied:

Get-MpPreference|select DisableArchiveScanning

Windows Defender will then stop scanning any open archive files in real-time.

Also, to change or remove the antivirus exclusion settings, you can use the Add-MpPreference and Remove-MpPreference cmdlets. For example, let’s add some folder paths to the antivirus exclusions:

Add-MpPreference -ExclusionPath C:\Video, C:\install

Display a list of path exceptions for Windows Defender:

Get-MpPreference | fl excl*

To exclude anti-virus scanning of certain processes, run the following command:

Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"

To remove an exception for a specific folder:

Remove-MpPreference -ExclusionPath C:\install

Windows Defender has a hidden function to protect against unwanted programs (Potentially Unwanted Program — PUP, Potentially Unwanted Application — PUA). By default, it is accessible only in Windows 10/11 Enterprise edition, but with the help of the following command you can enable PUP/PUA protection in any Windows 10 edition:

Set-MpPreference -PUAProtection 1

After you turn on protection, when you try to launch or install potentially unwanted programs on your computer, you will receive the following notification from Defender in Windows 10.

Windows Defender took action

Your settings caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device.

Updating Microsoft Defender Signatures with PowerShell

You can use the Update-MpSignature command to update the antivirus signature database on your computer.

By default, the Windows Defender receives updates from online Microsoft Update Servers. You can use the UpdateSource argument to specify where you want to receive the virus definition updates from.

The following virus definition sources are available:

• MicrosoftUpdateServer;
• MMPC Microsoft Malware Protection Center;
• SMB File Shares;
• InternalDefinitionUpdateServer — internal WSUS server.

To update antivirus from a network shared folder on a Windows file server you need to download the necessary definition update files and place them into a shared network folder. Then you have to specify that Windows Defender should be updated from a file share source (use UNC path):

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\DESKTOP-V20E3PO\Updates

To run virus updates and malware definitions manually:

Update-MpSignature -UpdateSource FileShares

Update-MpSignature

In some cases, after receiving an incorrect update, Microsoft Defender may not work correctly. In this case, it is recommended to reset the current thread definition databases and reload them from the source:

"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -RemoveDefinitions -All

"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" –SignatureUpdate

Microsoft Defender: Scan for Malware with PowerShell

To perform an antivirus scanning of your computer, use the Start-MpScan cmdlet. With the ScanType argument, you can choose one of three scan modes:

• FullScan — scan is performed for all files on your computer, as well as the system registry and currently running apps;
• QuickScan — analysis of only those areas that are most likely may be infected by malware (registry, active RAM, system folders);
• CustomScan — user selects the folders and drives to scan.

For example, run a custom scan to check the system folder “C:\Program Files”:

Start-MpScan -ScanType CustomScan -ScanPath ”C:\Program Files”

You can perform a full computer scan by Microsoft Defender using the command:

Start-MpScan -ScanType FullScan

Or quick threats scan:

Start-MpScan -ScanType QuickScan

To remove all active threats on your computer, use the command:

Remove-MpThreat

All Defender module cmdlets can be performed both for the local and remote computers. To connect to a remote computer, you need to use the CimSession option. For example, to get the date of the last scan from the remote computer with hostname lnd_wks21, run the following commands (WinRM must be enabled):

$session = NewCimSession -ComputerName lnd_wks21

Get-MpComputerStatus -CimSession $session | fl fullscan*

You can use the Start-MpWDOScan cmdlet to perform an offline scan with Windows Defender.

After executing this command, your operating system will automatically reboot. Windows Defender will start in a special boot environment and scan your device for threats before your Windows boots.

How to Reset Microsoft Defender to Default?

You can reset all Windows Defender settings using the Windows Security App.

1. Press the Start button and type: Windows Security;
2. Select the App settings;
   
3. Scroll down to the Reset button and click on it;
4. The following warning will appear: “This will permanently delete the app’s data on this device, including your preferences and sign-in details”. Confirm it by pressing the Reset button.