How to Turn On or Off Microsoft Defender Antivirus in Windows 10  

Chrysalis said:

If you can figure this out would be awesome, I am currently investigating this as well.

The group policy to disable Defender now is ignored, if I disable in security applet, it is either until next reboot or after a day or so, whichever comes first.

What's odd is this is the usual behavior when Tamper Protection hasn't been disabled.

It is not a bug, it is a feature, to make sure, Windows is not running without AV.
It was persistent on Home, I guess MS has decided to force it on Pro as well.
Either way, if Defender's services are disabled, it can not turn itself on again.

splus said:

Yeah, but disabling has been disabled. It just doesn't work any more even if Tamper Protection is turned off.
I'm not sure if this depends on the initial Windows installation (installed from Windows 20H2 ISO or a previous one), or if Microsoft flipped the switch somehow recently...

If you enable the Windows Defender now and enable the Tamper Protection, and then restart the computer, would you still be able to disable the Defender?
If yes then the 20H2 ISO was the one who disabled the Defender disabling. If Windows is installed from the older Windows version then it should be still possible to disable the Defender.

Normally, if you have Tamper Protection disabled, you should be able to disable Windows Defender Antivirus and have it stick.

splus said:

Yeah, I know. That's how I disabled it before. But now after the clean install with Windows 20H2 it doesn't any more. Tamper Protection stays off after a reboot, but the option to disable the Defender doesn't work at all. Nothing happens. Whereas before it would stop it the moment I change the option in the Group Policy.

Yep, that's making this so odd.

Poccapx said:

For LTSC take a look at this method, which still works. However, it does require using an older version of Defender.

Yeah I just said that I wont be doing that, its way too hacky and maybe other repercussions to using older binaries. In my case I still want the memory exploit protections, I just want to disable the file scanning.

My current idea is to add a scheduled task which toggles the widget off at boot, and then every 24 hours as well.

It is great you figured that out though. So we have one working method at least.

- - - Updated - - -

--edited it with final solution--

Ok here is what I have done.

First of all the script, is very basic runs a powershell command to toggle the real time protection mode. I will also attach the file.

Code:

@echo off

powershell.exe -windowstyle hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

I copied it to program files folder, although it doesnt need to be there but thats my preference. Name "Defender-Realtime-Disable.cmd"

Now I have added a task in task scheduler.

First one called RenewDisableDefenderRT
Run on event
event log Windows/Windows Defender/Operational log
event id 5000
Run whether user is logged in or not, supply credentials, does not need to be the hidden admin account, and also does not need run with highest privileges ticked. But probably wont work on limited user accounts.
Actions, start a program, put in the script, in my case "C:\Program Files\Defender-Realtime-Disable.cmd"
Untick everything in conditions
Settings, allow task to run on demand (good for testing it) and stop if still running after an hour just to be on safe side.

Thats it, the only downside I see at the moment is when it runs there is a brief notification the protection is disabled. Probably can be muted in the notification settings if so desire, there wont be a powershell window popup.

I tested it a few times and works a treat, I enable it, then within a minute it auto disabled again, so this should not need agressive every minute tasks as well as worrying about the timing of a daily task, it will just run when it needs to. I recorded a clip of it in action, the reason I like this so much as well is because if I want to use the realtime protection all I merely need to do is disable the task, no need to move binaries around etc. In the future I am likely to use it again, as I do want the ransomware protection from it.

I have uploaded a clip of it in action here, I will post an update of how to add the task this way later.

2021-02-03_09-33-07

I also added a second script to run every hour with command

Code:

powershell.exe -windowstyle hidden -Command "Update-MpSignature"

since I disable auto windows update this will ensure defender stays updated on its signatures.