Disable Windows Defender

Don’t turn this off unless you know what you are doing. You should first disable all of the options for windows defender before disabling the service, as cloud-based protection will cause 100% disk usage (in settings).

See Disable Telemetry for additional telemetry services.

Danger

After every major windows update, verify these settings.

Disable tamper protection

Windows 1903+ requires Tamper Protection to be disabled before Windows Defender can be disabled.

GUI

⌘ + r › windowsdefender://settings › Virus & threat protection settings › Manage Settings

Tamper Protection

☐

Updated: 2021-02-19 Reference

Registry

There is no GPO for this. 5 enables protection.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features

TamperProtection

DWORD

0

Updated: 2021-02-19 Reference

PS Exec

powershell (as admin)

PsExec64.exe -accepteula -d -i -s powershell -ExecutionPolicy Bypass Set-Itemproperty -path 'HKLM:SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -value 0

Sysinternals PSTools need to be installed disable via powershell.

Disconnect from Microsoft Antimalware Protection Service

Uploads files and file hashes to Microsoft for any suspect file.

GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Defender Antivirus › MAPS › Join Microsoft MAPS

☑

DISABLED

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet

SpyNetReporting

DWORD

0

SubmitSamplesConsent

DWORD

2

Updated: 2021-02-19

Disable Windows Defender notifications

Computer Configuration › Administrative Templates › Windows Components › Windows Defender Antivirus › Client Interface › Suppress all notifications

☑

ENABLED

Updated: 2021-02-19

Disable Windows Defender Enhanced Notifications

GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Defender Antivirus › Reporting › Turn off enhanced notifications

☑

ENABLED

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting

DisableEnhancedNotifications

SZ

1

Updated: 2021-02-19

Disable Windows Defender Updates

GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Defender Antivirus › Security Intelligence UpdatesAllow real-time security intelligence updates based on reports to Microsoft MAPS

☑

ENABLED

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Updates

named

DELETE

DELETE

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates

FallbackOrder

SZ

FileShares

DefinitionUpdateFileSharesSources

DELETE

DELETE

Updated: 2021-02-19

Disable Malicious Software Reporting Tool

This reports file information to Microsoft.

GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Defender Antivirus › MAPS › Send file samples when further analysis is required

☑

Never Send

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT

DontReportInfectionInformation

DWORD

1

Updated: 2021-02-19

Disable Windows Defender Smart Screen

GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Defender SmartScreen › Explorer › Configure Windows Defender SmartScreen

☑

DISABLED

Updated: 2021-02-19

GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Defender SmartScreen › Explorer › Configure App Install Control

☑

ENABLED

›

Turn off app recommendations

Updated: 2021-02-19

GPO

Computer Configuration › Administrative Templates › Windows Components › File Explorer › Configure Windows Defender SmartScreen

☑

DISABLED

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System

EnableSmartScreen

DWORD

0

Updated: 2021-02-19

Registry

Logically inversed from the equivalent GPO.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen

ConfigureAppInstallControlEnabled

DWORD

1

ConfigureAppInstallControl

SZ

Anywhere

Updated: 2021-02-19

Disable Windows Defender real-time protection

Computer Configuration › Administrative Templates › Windows Components › Windows Defender Antivirus › Real-time Protection

Turn off real-time protection

ENABLED

Turn on behavior monitoring

DISABLED

Scan all downloaded files and attachments

DISABLED

Monitor file and program activity on your computer

DISABLED

Turn on raw volume write notifications

DISABLED

Turn on process scanning whenever real-time protection is enabled

DISABLED

Define the maximum size of downloaded files and attachments to be scanned

DISABLED

Configure local setting override for turn on behavior monitoring

DISABLED

Configure local setting override for scanning all downloaded files and attachments

DISABLED

Configure local setting override for monitoring file and program activity on your computer

DISABLED

Configure local setting override to turn on real-time protection

DISABLED

Configure local setting override for monitoring for incoming and outgoing file activity

DISABLED

Configure monitoring for incoming and outgoing file and program activity

DISABLED

Updated: 2021-02-19

Disable windows defender notification icon

GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Security › Systray

Hide Windows Security Systray

ENABLED

Updated: 2021-02-19 Reference

Task Manager

⌘ › Task Manager › More Details › Startup

Windows Defender notification icon

DISABLED

Updated: 2021-02-19 Reference

Disable Windows Defender

As of Windows 1903 this setting only disables Windows Defender for Windows Server. It can only be manually disabled via the GUI. Other settings still apply.

GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Defender Antivirus › Turn off Windows Defender Antivirus

☑

ENABLED

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

DisableAntiSpyware

DWORD

1

Updated: 2021-02-19

Firewall

Endpoints for telemetry may change. Peridiocally verify these have not changed. See references for additional documentation.

Warning

These endpoints should be blocked or routed to a blackhole. See Pi-Hole and DNAT for Captive DNS.

Connected User Experiences and Telemetry endpoints

Microsoft Defender Advanced Threat Protection is country specific and the prefix changes by country, e.g.: de.vortex-win.data.microsoft.com

Release	Diagnostic Endpoint	Functional Endpoint	Settings Endpoint
1703 with 2018-09 cumulative update	v10c.vortex-win.data.microsoft.com	v20.vortex-win.data.microsoft.com	settings-win.data.microsoft.com
1803 without 2018-09 cumulative update	v10.events.data.microsoft.com	v20.vortex-win.data.microsoft.com	settings-win.data.microsoft.com
1709 or earlier	v10.vortex-win.data.microsoft.com	v20.vortex-win.data.microsoft.com	settings-win.data.microsoft.com

Diagnostic data services endpoints

Service	Endpoint
Microsoft Defender Advanced Threat Protection	https://wdcp.microsoft.com
›	https://wdcpalt.microsoft.com

References

1. Configure Windows Diagnostic Data

2. Manage connections from Windows 10 to Microsoft Services

3. Remove Windows Defender Telemetry