◉ Windows Defender Management

Fully disabling Defender without breaking system integrity

Tested on Windows 11 Enterprise IoT 25H2 (build 26200.x).

1 Fully disabling Windows Defender
▶ Normal Mode  Step 1.0 — Must be done first
Disable Tamper Protection
This is a mandatory zero step. Tamper Protection blocks changes to Defender scheduler tasks and EPP registry keys even for Administrators — the commands in steps 1.1 and 1.4 will execute without errors, but the changes will not stick or will be silently reverted.
It can only be disabled via the GUI — doing it through the registry or Group Policy is not possible while the protection is enabled.
  1. Open Settings (Win + I) → Privacy & securityWindows SecurityVirus & threat protection
  2. Scroll down to "Virus & threat protection settings" → click "Manage settings"
  3. Find the "Tamper Protection" toggle → switch it Off → confirm in the UAC prompt
▶ Normal Mode  Step 1.1
Disable scheduler tasks, notifications, and SmartScreen
Open PowerShell as Administrator (Win + X → Terminal (Administrator)) and run the entire block at once.
No reboot needed — changes take effect immediately.
Also note the default value of WdNisDrv — you will need it for rollback: sc qc WdNisDrv → look at the START_TYPE line. On most builds this is 2 (AUTO_START), on some editions — 3 (DEMAND_START).
PowerShell (Administrator) 
# Disable Defender scheduler tasks
Disable-ScheduledTask -TaskPath "\Microsoft\Windows\Windows Defender\" -TaskName "Windows Defender Cache Maintenance"
Disable-ScheduledTask -TaskPath "\Microsoft\Windows\Windows Defender\" -TaskName "Windows Defender Cleanup"
Disable-ScheduledTask -TaskPath "\Microsoft\Windows\Windows Defender\" -TaskName "Windows Defender Scheduled Scan"
Disable-ScheduledTask -TaskPath "\Microsoft\Windows\Windows Defender\" -TaskName "Windows Defender Verification"

# Disable "Enable security service" toast (AccountHealth)
Disable-ScheduledTask -TaskPath "\Microsoft\Windows\AccountHealth\" -TaskName "RecoverabilityToastTask"

# Disable "Enable Security Center service" tray notifications
reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride       /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enabled /t REG_DWORD /d 0 /f

# Disable SmartScreen
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System"                     /v EnableSmartScreen         /t REG_DWORD /d 0   /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer"               /v SmartScreenEnabled        /t REG_SZ    /d Off /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost"                /v EnableWebContentEvaluation /t REG_DWORD /d 0   /f
▶ Normal Mode  Step 1.2
Remove SecurityHealth from startup and boot into Safe Mode
In the same PowerShell as Administrator, run the block.
After execution the system will reboot into Safe Mode — continue from step 1.3.
Why Safe Mode? Tamper Protection blocks changes to Defender service registry keys even for Administrators in normal mode. In Safe Mode this protection does not load. Scheduler tasks, notifications, and SmartScreen are not protected by Tamper Protection — they are disabled in normal mode (step 1.1). EPP context menu entries are also not protected by Tamper Protection, but are removed in step 1.4 together with the services since they logically belong to the same group.
PowerShell (Administrator) 
# Remove Security Center icon from startup
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" `
                    -Name "SecurityHealth" `
                    -ErrorAction SilentlyContinue

# Enable Safe Mode and reboot

bcdedit /set '{current}' safeboot minimal
Restart-Computer
⚠ Safe Mode ✎ regedit  Step 1.3 — Start here after reboot
Grant permissions on protected registry keys (wscsvc and Sense)
The registry keys for services wscsvc and Sense are write-protected even for Administrators — without permissions the commands in step 1.4 will return "Access Denied".
First grant permissions on both keys in one pass, then proceed to cmd.
Open regedit: Win + R → regedit → Enter. For each of the two keys below, follow the same procedure:
regedit paths — grant permissions on both 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense
Procedure for each key:
  1. Right-click the folder → PermissionsAdvanced
  2. Next to "Owner: SYSTEM" click Change → type Administrators → Check Names → OK
  3. Check "Replace owner on subcontainers and objects" → Apply
  4. In the permissions list select the Administrators row → Edit → set type to Allow and check Full Control → Apply → OK
After granting permissions on both keys — proceed to step 1.4.
⚠ Safe Mode  Step 1.4
Disable Defender services and wscsvc via the registry
Open cmd.exe as Administrator (Win + R → cmd → Ctrl + Shift + Enter) and run the entire block at once.
Value 4 = "Disabled" mode. The service will not start at system boot.
About WdBoot: boot-start driver (type 0). We set Start=4, but with Secure Boot + TPM enabled, ELAM validation may reset it back to 0. If after reboot you see Start=0 instead of 4 — this is normal: Defender will still not start as long as WinDefend is disabled.
cmd.exe (Administrator) — Safe Mode 
:: [1/6] Disable core Defender services and drivers
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend"  /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter"  /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot"   /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v Start /t REG_DWORD /d 4 /f

:: [2/6] Disable additional services (relevant for Windows 11 25H2)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense"               /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc"       /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc"   /v Start /t REG_DWORD /d 4 /f

:: [3/6] Hide Security Center shield from tray
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f

:: [4/6] Suppress Health Center
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\HealthCenter" /v DisableHealthCenter /t REG_DWORD /d 1 /f

:: [5/6] Remove EPP from Explorer context menu
reg delete "HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP"                  /f 2>nul
reg delete "HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP"              /f 2>nul
reg delete "HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP"          /f 2>nul
reg delete "HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\EPP" /f 2>nul
reg delete "HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\EPP"             /f 2>nul

:: [6/6] Block smartscreen.exe from running (process appears in Task Manager even with SmartScreen disabled)
takeown /f "%SystemRoot%\System32\smartscreen.exe" /a
icacls "%SystemRoot%\System32\smartscreen.exe" /deny *S-1-5-32-545:(X)

:: [7/7] Disable wscsvc
reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 4 /f
After running the block — exit Safe Mode:
cmd.exe (Administrator) — Safe Mode 
bcdedit /deletevalue {current} safeboot
shutdown /r /t 0
▶ Normal Mode  Verification
Confirm everything is disabled
Run each block separately in PowerShell as Administrator. Expected values are shown in the comments.
Step 1.1 — Scheduler tasks, notifications, SmartScreen, startup; Step 1.4 — EPP
PowerShell (Administrator) 
# Scheduler tasks — all five should show State: Disabled
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Windows Defender\" | Select-Object TaskName, State
Get-ScheduledTask -TaskPath "\Microsoft\Windows\AccountHealth\" -TaskName "RecoverabilityToastTask" | Select-Object TaskName, State

# EPP in context menu — all five commands should return "ERROR: The system was unable to find..."
reg query "HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP"
reg query "HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP"
reg query "HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP"
reg query "HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\EPP"
reg query "HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\EPP"

# Security Center notifications — AntiVirusDisableNotify and AntiVirusOverride should be 0x1
reg query "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusDisableNotify
reg query "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride

# SecurityAndMaintenance toast — Enabled should be 0x0
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enabled

# SmartScreen — EnableSmartScreen should be 0x0, SmartScreenEnabled should be "Off", EnableWebContentEvaluation should be 0x0
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation

# smartscreen.exe — deny ACL for Users should be present
icacls "%SystemRoot%\System32\smartscreen.exe"

# SecurityHealth startup — key should NOT exist (error = expected)
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SecurityHealth
Steps 1.3 and 1.4 — Services
PowerShell (Administrator) 
# Services — all should show Status: Stopped, StartType: Disabled
Get-Service WinDefend, WdFilter, WdNisSvc, WdNisDrv, Sense, webthreatdefsvc, webthreatdefusersvc, wscsvc |
  Select-Object Name, Status, StartType

# Security Center tray — HideSystray should be 0x1
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray

# Health Center — DisableHealthCenter should be 0x1
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\HealthCenter" /v DisableHealthCenter
Major Windows updates (Feature Updates) may restore Defender services to their original state. After such an update it is recommended to run the checks from the "Verification" section and if necessary repeat steps 1.3–1.4.
Regular cumulative updates (Cumulative Updates) do not affect the services.
2 Restoring Windows Defender (full rollback)
▶ Normal Mode  Step 2.1
Re-enable scheduler tasks, restore notifications, EPP, and SecurityHealth startup
Open cmd.exe as Administrator and run the block. No reboot needed.
cmd.exe (Administrator) 
:: Re-enable Defender scheduler tasks
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup"           /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan"    /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification"      /Enable
schtasks /Change /TN "Microsoft\Windows\AccountHealth\RecoverabilityToastTask"               /Enable

:: Restore Security Center notifications
reg delete "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusDisableNotify /f 2>nul
reg delete "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride       /f 2>nul
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enabled /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System"           /v EnableSmartScreen         /f 2>nul
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer"   /v SmartScreenEnabled        /f 2>nul
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost"    /v EnableWebContentEvaluation /f 2>nul

:: Restore permissions on smartscreen.exe
takeown /f "%SystemRoot%\System32\smartscreen.exe" /a
icacls "%SystemRoot%\System32\smartscreen.exe" /remove:d *S-1-5-32-545

:: Restore EPP to Explorer context menu
:: CLSID {09A47860-11B0-4DA5-AFA5-26D86198A780} = ShellExtension for MpShe.dll
reg add "HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP"                  /ve /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP"              /ve /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP"          /ve /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\EPP" /ve /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\EPP"             /ve /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f

:: Restore Security Center icon to startup
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SecurityHealth /t REG_EXPAND_SZ /d "%windir%\System32\SecurityHealthSystray.exe" /f
▶ Normal Mode  Step 2.2
Boot into Safe Mode
In the same cmd.exe as Administrator run the block. After execution the system will reboot into Safe Mode — continue from step 2.3.
cmd.exe (Administrator) 
bcdedit /set {current} safeboot minimal
shutdown /r /t 0
⚠ Safe Mode  Step 2.3
Restore services via the registry
Open cmd.exe as Administrator in Safe Mode and run the block.
Do not reboot yet — first restore ownership of wscsvc and Sense via regedit (see below), and only then enter the exit commands.
Default values: WinDefend = 2 (auto), WdFilter = 2 (auto), WdBoot = 0 (boot-start), WdNisSvc = 3 (manual), WdNisDrv = 2 (auto on most builds; substitute your own value if it differs — you checked it in step 1.1).
About WdBoot: the default value is Start=0 (boot-start). With Secure Boot + TPM enabled, ELAM validation may reset it back to 0 even if you set it manually to something else — this is normal and has no effect on system operation.
cmd.exe (Administrator) — Safe Mode 
:: [1/3] Restore default parameters for all Defender services
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend"           /v Start /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter"           /v Start /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot"            /v Start /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc"          /v Start /t REG_DWORD /d 3 /f
:: WdNisDrv: default value on most builds = 2; if yours was different — substitute your own (check beforehand: sc qc WdNisDrv)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv"          /v Start /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense"              /v Start /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc"    /v Start /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v Start /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc"             /v Start /t REG_DWORD /d 2 /f

:: [2/3] Restore Security Center tray icon
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /f 2>nul

:: [3/3] Re-enable Health Center
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\HealthCenter" /v DisableHealthCenter /f 2>nul
Do not close this cmd window. Make sure all commands above have been executed. Then open regedit and return ownership of wscsvc and Sense back to SYSTEM (instructions below) — the Start values are already set by the reg add commands above, regedit is only needed to restore ownership. Only after that enter the Safe Mode exit commands.
Return ownership via regedit — Win + R → regedit → for each of the two keys follow the same procedure:
regedit paths — restore ownership on both 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense
  1. Right-click the folder → Permissions → Advanced → Change owner to SYSTEM → check "Replace owner on subcontainers and objects" → Apply → OK
  2. Close the permissions window — no need to manually restrict Administrators permissions, they will revert to their defaults automatically after ownership is transferred back to SYSTEM
After that return to cmd and exit Safe Mode:
cmd.exe (Administrator) — Safe Mode 
bcdedit /deletevalue {current} safeboot
shutdown /r /t 0
▶ Normal Mode  Step 2.4 — Final
Re-enable Tamper Protection
Tamper Protection does not restore automatically when services start — it must be enabled manually via the GUI, the same way as in step 1.0.
  1. Open Settings (Win + I) → Privacy & securityWindows SecurityVirus & threat protection
  2. Scroll down to "Virus & threat protection settings" → click "Manage settings"
  3. Find the "Tamper Protection" toggle → switch it On → confirm in the UAC prompt