This application removes / disables Windows Defender, including the Windows Security App, Windows Virtualization-Based Security (VBS), Windows SmartScreen, Windows Security Services, Windows Web-Threat Service, Windows File Virtualization (UAC), Microsoft Defender App Guard, Microsoft Driver Block List, System Mitigations and the Windows Defender page in the Settings App on Windows 10 or later.
This script removes/disables following security components:
- support for Windows Security Center including Windows Security Center Service (wscsvc), Windows Security Service (SgrmBroker, Sgrm Drivers) which are needed to run Windows Security App.
- virtualization support.
- Hypervisor startup (this fixes disablation of Virtualization Based Security, this will auto enable if you use Hyper-V and/or WSL (Windows Subsystem for Linux), WSA (Windows Subsystem for Android))
- LUA (disables File Virtualization and User Account Control, which will run all apps as administrator priviliges (also fixes old app errors))
- Exploit Guard (something about Exploits)
- Windows Smart Control
- Tamper Protection (for Windows 11 21H2 or earlier)
- SecHealthUI (Windows Security UWP App)
- SmartScreen
- Pluton Support and Pluton Services Support
- System Mitigations
- "Services Mitigations" (search on admx.help for more informations, its policy)
- Spectre and Meltdown Mitigation (for get +30% performance on old Intel CPUs)
- Windows Security Section from Settings App.
This script forcily removes following antivirus components:
- Windows Defender Definition Update List (this will disable updating definitions of Defender because its removed)
- Windows Defender SpyNet Telemetry
- Antivirus Service
- Windows Defender Antivirus filter and windows defender rootkit scanner drivers
- Antivirus Scanning Tasks
- Shell Associations (Context Menu)
- Hides Antivirus Protection section from Windows Security App.
Note
A system restore point is recommended before you run the script. (if you don't know what are you doing)
- Download the packed script from Releases
- Run the ".exe" as administrator
- Follow the instructions displayed
OR
you can use git
git clone https://github.com/ionuttbara/windows-defender-remover.git
cd windows-defender-remover
Script_Run.bat
OR
you can use download entire source code
- Download the source code from Releases.
- Choose the file Source Code(.zip) from last version and download it.
- Unarchive the file into a folder and run the Script_Run.bat.
You can file an issue if you experience any problems.
You can remove Defender with arguments.
# Removal
Defender.Remover.exe /r <# or /R #>
If you have any problems when opening an app (extremely rare) and get the message "The app can not run because Device Guard" or "Windows Defender Application Guard Blocked this app", you have to remove 4 files with the same name, from different locations.
- In EFI Partition
Remove-Item -LiteralPath "$((Get-Partition | ? IsSystem).AccessPaths[0])Microsoft\Boot\WiSiPolicy.p7b"
- In Code Integrity Folder
Remove-Item -LiteralPath "$env:windir\System32\CodeIntegrity\WiSiPolicy.p7b"
- In Windows Folder
Remove-Item -LiteralPath "$env:windir\Boot\EFI\wisipolicy.p7b"
- In WinSxS Folder
Remove-Item -Path "$env:windir\WinSxS" -Include *winsipolicy.p7b* -Recurse
You can create an ISO with Windoows Defender and Security Services Disabled. It's easy, so this is a fiie which it can helps you. Here are the rules:
- Mount the ISO and extract it into location.
- Open the sources folder and create the
$OEM$ folder. (this is needed to run the DefenderRemover part in OOBE). - Open the
$OEM$ folder and create the folder with $$ name. - Open the $$ folder and create the folder with Panther name.
- Open the Panther folder. The path it shown like to *%location of extracted ISO%\sources$OEM$$$\Panther*
- Download the unnatended.xml file from repo in ISO_Maker folder and put it in Panther folder.
- Save this as bootable ISO. (for now the script can't do this automaticly, but it will do in next version).
Paste this code into a powershell file and after Run as Administrator.
$remove_appx = @("SecHealthUI"); $provisioned = get-appxprovisionedpackage -online; $appxpackage = get-appxpackage -allusers; $eol = @()
$store = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore'
$users = @('S-1-5-18'); if (test-path $store) {$users += $((dir $store -ea 0 |where {$_ -like '*S-1-5-21*'}).PSChildName)}
foreach ($choice in $remove_appx) { if ('' -eq $choice.Trim()) {continue}
foreach ($appx in $($provisioned |where {$_.PackageName -like "*$choice*"})) {
$next = !1; foreach ($no in $skip) {if ($appx.PackageName -like "*$no*") {$next = !0}} ; if ($next) {continue}
$PackageName = $appx.PackageName; $PackageFamilyName = ($appxpackage |where {$_.Name -eq $appx.DisplayName}).PackageFamilyName
ni "$store\Deprovisioned\$PackageFamilyName" -force >''; $PackageFamilyName
foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageName" -force >''} ; $eol += $PackageName
dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >''
remove-appxprovisionedpackage -packagename $PackageName -online -allusers >''
}
foreach ($appx in $($appxpackage |where {$_.PackageFullName -like "*$choice*"})) {
$next = !1; foreach ($no in $skip) {if ($appx.PackageFullName -like "*$no*") {$next = !0}} ; if ($next) {continue}
$PackageFullName = $appx.PackageFullName;
ni "$store\Deprovisioned\$appx.PackageFamilyName" -force >''; $PackageFullName
foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageFullName" -force >''} ; $eol += $PackageFullName
dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >''
remove-appxpackage -package $PackageFullName -allusers >''
}
}
That is a false positive.
Some security apps flag this app as a virus because of the way the ".exe" files are created. Download with git or source code .zip will indicate virus-free. Starting with Defender 12.6.x , some versions are considered as virus, some are not (its a bug from me, so do not file for this).
Windows Update includes a Intelligence Update
which blocks certain actions and modifies Windows Defender/Security policies.
If the script is not working for you, check if you have the Windows Security Intelligence Update installed. If you do, disable tamper protection, and re-run the script.
Run the desired ".bat" file from cmd with PowerRun (by dragging to the executable). You must reboot for the changes to take effect.
Disable with this command and reboot.
bcdedit /set hypervisorlaunchtype off