How to Disable, Enable, and Manage Microsoft Defender Using PowerShell?

2K

Users can manage the built-in Microsoft Defender antivirus from the Security Panel GUI or from the PowerShell command line. In this article, we will look at how to enable/disable Microsoft Defender on Windows, how to manage various settings, and scan the computer for threats and viruses using PowerShell.

Managing Microsoft Defender Using PowerShell

The Security app in Settings is the main management tool for Microsoft Defender in Windows 10 and 11. You can open it via Settings > Update & Security > Windows Security or by using the quick access URI command ms-settings:windowsdefender.

Tip. Microsoft Defender is only installed by default on Windows desktop operating systems. You can install Windows Defender as an additional feature on Windows Server 2016/2019/2022 by using the command:

Install-WindowsFeature-Name Windows-Server-Antimalware

The built-in PowerShell Defender module allows you to manage Microsoft Defender settings from within PowerShell. You can list the available cmdlets in this module as follows:

Get-Command -Module Defender

• Add-MpPreference — used to change Microsoft Defender settings;
• Get-MpComputerStatus — allows you to get the status of antimalware software on your computer;
• Get-MpPreference — used to list Microsoft Defender scan and update configuration;
• Get-MpThreat — view the history of threats detected on a computer;
• Get-MpThreatCatalog — allows you to get known threats from the Windows Defender definitions catalog;
• Get-MpThreatDetection — displays a list of active and past threats detected on the computer;
• Remove-MpPreference — allows you to remove Microsoft Defender settings or exclusions;
• Remove-MpThreat — allows you to remove active threats from your computer;
• Set-MpPreference — used to change scan and update options;
• Start-MpScan — runs a computer scan;
• Update-MpSignature — updates anti-virus definition database;
• Start-MpWDOScan — runs a Microsoft Defender offline scan;

You can get help about a specific cmdlet from the Defender module:

Get-Help Start-MpScan –Full

Or only list examples:

Get-Help Add-MpPreference -Examples

How to Check if Microsoft Defender is Running

Make sure that the service is running before you use PowerShell cmdlets to control Microsoft Defender. Check the following service statuses on your computer: Microsoft Defender Antivirus Service (WinDefend), Windows Security Service (SecurityHealthService), and Security Center (wscsvc):

Get-Service Windefend, SecurityHealthService, wscsvc| Select Name,DisplayName,Status

Get-MpComputerStatus allows you to display the current status of Microsoft Defender: enabled options, virus definition date, version, last scan time, etc..

To quickly check if the Windows Defender is enabled on your computer and find out when the antivirus definition was last updated:

Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,IsTamperProtected,AntivirusSignatureLastUpdated

Antivirusenabled : True

AMServiceEnabled : True

AntispywareEnabled : True

BehaviorMonitorEnabled : True

IoavProtectionEnabled : True

NISEnabled : True

OnAccessProtectionEnabled : True

RealTimeProtectionEnabled : True

IsTamperProtected : True

AntivirusSignatureLastUpdated : 4/20/2023 4:32:02 AM

Note. If you have a third-party certified antivirus program installed on your computer, Microsoft Defender is automatically disabled.

How to Disable or Enable Windows Defender Protection using PowerShell

Sometimes you may need to temporarily pause Microsoft Defender protection. In most cases, it is sufficient to disable the Real-Time Protection module.

How to Suspend the Microsoft Defender Antivirus Protection?

You can disable Microsoft Defender real-time protection as follows:

Set-MpPreference -DisableRealtimeMonitoring $true

Disable cloud-based protection:

Set-MpPreference -MAPSReporting 0​

This will suspend antivirus protection in Windows until the next restart.

How to Disable Defender Tamper Protection?

Due to a new security feature that prevents you from turning off Defender protection, this command won’t work on newer Windows builds (22H2, 22H2, 21H2). Tamper protection is enabled by default and prevents you from modifying Defender security features through PowerShell, registry settings, or Group Policy.

Check the Tamper Protection state:

Get-MpComputerStatus | select IsTamperProtected

You can only disable the tamper protection from the Windows Security GUI app. Go to “Virus & Threat Protection” > click “Manage Settings” > scroll down to “Tamper Protection” and move the slider to the “Off” position.

Confirm this action at the UAC prompt. Note that the following message has appeared:

Tamper protection is off. Your device may be vulnerable.

Now you can disable Microsoft Defender real-time protection with PowerShell:

Set-MpPreference -DisableRealtimeMonitoring $true

To restore real-time protection, run:

Set-MpPreference -DisableRealtimeMonitoring $false

Turn on cloud-delivered protection:

Set-MpPreference -MAPSReporting 2​

If you want to completely disable Tamper Protection in Microsoft Defender, you need to change the following items under the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\Features:

• TamperProtection = 4
• TamperProtectionSource = 2
• SenseDevMode = 0

You will need to make these changes with the NT Service\TrustedInstaller permissions.

Hint. You can use the following third-party tools to run under the TrustedInstaller account: Advanced Run by NirSoft or ExecTI.

Uninstall Windows Defender on Windows Server 2022/2019 using PowerShell

You can uninstall Windows Defender on Windows Server 2016\2019\2022 using PowerShell. First, stop the real-time protection and run the following command in the elevated PowerShell session:

Uninstall-WindowsFeature -Name Windows-Defender

Or use the DISM tool:

Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet

Permanently Turn Off Microsoft Defender on Windows 11 or 10

You cannot completely uninstall the Microsoft Defender feature from your computer running desktop Windows edition. However, you can try to completely disable Windows Defender on a computer by using the DisableAntiSpyware = 1 registry key or by using the Local Group Policy Editor.

New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender” -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

Or:

1. Run the gpedit.msc console;
2. Go to the following GPO section: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus;
3. Find the parameter named Turn off Windows Defender Antivirus on the right pane;
4. Change its value to Enabled;
   
5. In the same way disable the following Group Policy setting in the Real-time Protection section: Turn off real time protection = Disabled;
6. To apply new settings, update local Group Policy settings on a computer using the gpupdate command:

   gpupdate /force

   However, this won’t work in modern Windows 10 and 11 builds. The only way to completely disable Microsoft Defender is to restart your computer in Safe Mode and prevent the Defender services from starting.

7. To restart your computer in Safe Mode, run the following commands:

   bcdedit /set {current} safeboot minimal
   
   reboot /r

8. Once you have booted into safe mode, open the registry editor (regedit.exe);
9. Then open the following registry keys one after the other and change the value of the Start registry entry to 4 in each row:

Registry key	Parameter	Default Value	New value (disable defender)
HKLM\SYSTEM\CurrentControlSet\Services\Sense\	Start	3	4
HKLM\SYSTEM\CurrentControlSet\Services\WdBoot\	Start	0	4
HKLM\SYSTEM\CurrentControlSet\Services\WdFilter\	Start	0	4
HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv\	Start	3	4
HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc\	Start	3	4
HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\	Start	2	4

Now turn off the Safe Mode Boot option and restart Windows:

bcdedit /deletevalue {current} safeboot

Sign into Windows with your account and check that Microsoft Defender is now disabled.

Change Microsoft Defender Settings with PowerShell

You can change Microsoft Defender antivirus settings using the Set-MpPreference cmdlet. In Windows, you can turn certain Windows Defender security options on or off. For example, the following Windows Defender features are disabled by default:

• DisableCatchupFullScan.
• DisableCatchupQuickScan.
• DisableCpuThrottleOnIdleScans.
• DisableEmailScanning.
• DisableRemovableDriveScanning.
• DisableRestorePoint.
• DisableScanningMappedNetworkDrivesForFullScan.
• EnableFileHashComputation.
• EnableFullScanOnBatteryPower.
• EnableLowCpuPriority.

You can enable automatic scanning of removable drives:

Set-MpPreference -DisableRemovableDriveScanning $false

By default, Windows Defender scans the archive files (RAR, ZIP, CAB) that may contain malicious files. You can disable real-time scanning of archive files using the command:

Set-MpPreference -DisableArchiveScanning $True

Make sure that the new setting is applied:

Get-MpPreference|select DisableArchiveScanning

Microsoft Defender allows you to add some paths to the antivirus exclusions. For example:

Add-MpPreference -ExclusionPath C:\Video, C:\install

View a list of path exclusions for Windows Defender:

Get-MpPreference | fl excl*

To remove a folder exclusion:

Remove-MpPreference -ExclusionPath C:\install

You can exclude some processes from real-time antivirus scanning:

Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"

In this case, Microsoft Defender antivirus will not scan for any of the files that are opened by these processes.

You can exclude file extensions from Windows Defender scan:

Set-MpPreference -ExclusionExtension *.mp3,*.MP4,*.wav,*.EDB

You can use wildcards and environment variables in the exclusion lists:

Set-MpPreference -ExclusionProcess "c:\ps\*", " %ALLUSERSPROFILE%\*"

You can use the script to quickly remove all enabled Windows Defender exclusions:

$Paths=(Get-MpPreference).ExclusionPath

foreach ($Path in $Paths) { Remove-MpPreference -ExclusionPath $Path }

$Extensions=(Get-MpPreference).ExclusionExtension

foreach ($Extension in $Extensions) { Remove-MpPreference -ExclusionExtension $Extension }

$Processes=(Get-MpPreference).ExclusionProcess

foreach ($Process in $Processes) { Remove-MpPreference -ExclusionProcess $Process }

Windows Defender has a hidden function to protect against unwanted programs (Potentially Unwanted Program — PUP, Potentially Unwanted Application — PUA). These features are only available in Enterprise editions of Windows. But you can enable PUP/PUA protection in any Windows edition:

Set-MpPreference -PUAProtection 1

After you turn on this protection, you will receive the following Defender notification when you try to run or install potentially unwanted programs on your computer:

Windows Defender took action

Your settings caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device.

You can disable Windows Defender user interface (UI) with the command:

Set-MpPreference -UILockdown $true

‘Virus and threat protection’ section will be hidden from the Windows Security UI.

Updating Microsoft Defender Signatures using PowerShell

To immediately update the anti-malware definition from the default source, run the command:

Update-MpSignature

By default, the Windows Defender receives updates from Microsoft Update. You can use the UpdateSource argument to specify where you want to receive the virus definition updates from.

The following virus definition sources are available:

• MicrosoftUpdateServer;
• MMPC (Microsoft Malware Protection Center);
• SMB File Shares;
• InternalDefinitionUpdateServer — internal WSUS server.

You can update antivirus definitions from a shared network folder on your LAN. Download the necessary definition update files and place them into a shared folder. You can then change the default update source in Defender to a shared folder (use the UNC path):

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\DESKTOP-V20E3PO\Updates

To manually update virus and malware definitions:

Update-MpSignature -UpdateSource FileShares

Update-MpSignature

If Microsoft Defender stopped working correctly after receiving an incorrect update, you can reset the current thread definition database:

"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -RemoveDefinitions -All

"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" –SignatureUpdate

Scan for Malware with PowerShell

Use the Start-MpScan cmdlet to perform an antivirus scan of your computer. You can select one of three scan modes in the ScanType argument:

• FullScan — scan all files on drives, the system registry and running apps;
• QuickScan — analysis areas that are most likely may be infected by malware (registry, active RAM, system folders);
• CustomScan — select folders and drives to scan manually.

For example, run a custom scan to check the system folder “C:\Program Files”:

Start-MpScan -ScanType CustomScan -ScanPath ”C:\Program Files”

You can perform a full computer scan:

Start-MpScan -ScanType FullScan

Or quick threats scan:

Start-MpScan -ScanType QuickScan

To view the threat history, use the following commands which list detected threats with details (threat status, location of infected file, severity):

Get-MpThreat

List of active and pass malware detections:

Get-MpThreatDetection

To remove all active threats on your computer, use the command:

Remove-MpThreat

You can use the Start-MpWDOScan cmdlet to run an offline scan with Windows Defender.

After running this command, your operating system will boot into an isolated WinPE environment. Defender will scan your device for threats before Windows boots.

All Defender module cmdlets can be performed both for the local and remote computers. To connect to a remote computer, you need to use the CimSession option. For example, to get the date of the last scan from the remote computer with hostname lnd_wks21, run the following commands (WinRM must be enabled on the remote host):

$session = NewCimSession -ComputerName lnd_wks21

Get-MpComputerStatus -CimSession $session | fl fullscan*

How to Reset Microsoft Defender to Default

You can reset all Windows Defender settings using the Windows Security App.

1. Find the Windows Security app in Start menu;
2. Select the App settings;
   
3. Scroll down to the Reset button and click on it;
4. The following warning will appear: “This will permanently delete the app’s data on this device, including your preferences and sign-in details”. Confirm it by pressing the Reset button.