Yes, you can completely remove windows defender by using install_wim_tweak and removing the various defender packages. I actually wouldn't recommend that, though, as some of the defender files are needed for other things. Instead, you can disable defender by modding a simple registry key. I've already made a script for that. You're welcome to use. Just rename this txt as Defender.cmd Code: @echo off title Disable/Enable Windows Defender color 1f :Begin UAC check and Auto-Elevate Permissions :------------------------------------- REM --> Check for permissions >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system" REM --> If error flag set, we do not have admin. if '%errorlevel%' NEQ '0' ( echo: echo Requesting Administrative Privileges... echo Press YES in UAC Prompt to Continue echo: goto UACPrompt ) else ( goto gotAdmin ) :UACPrompt echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs" echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs" "%temp%\getadmin.vbs" exit /B :gotAdmin if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" ) pushd "%CD%" CD /D "%~dp0" :-------------------------------------- :Check the key: (reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware"|find /i "0x1")>NUL 2>NUL if %errorlevel% neq 0 GOTO :KEYOFF :KEYON echo ============================================================ echo Windows Defender currently disabled. echo Would you like to re-enable it? (Y/N) echo ============================================================ echo. choice /c yn /n If %ERRORLEVEL% NEQ 1 GOTO :QUIT Echo Changing Registry key REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /D 0 /T REG_DWORD /F>NUL 2>NUL IF %ERRORLEVEL% NEQ 0 GOTO :ERROR Echo. Echo Windows Defender enabled Echo. goto :QUIT :KEYOFF echo ============================================================ echo Windows Defender is currently enabled. echo Would you like to disable it? (Y/N) echo ============================================================ echo. choice /c yn /n If %ERRORLEVEL% NEQ 1 GOTO :QUIT Echo Changing Registry key REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /D 1 /T REG_DWORD /F>NUL 2>NUL IF %ERRORLEVEL% NEQ 0 GOTO :ERROR Echo. Echo Windows Defender disabled Echo. goto :QUIT :QUIT echo ============================================================ echo Press any key to exit... echo ============================================================ pause>NUL goto :EOF :ERROR echo ============================================================ echo The script ran into an unexpected error setting reg key. echo Press any key to exit... echo ============================================================ pause>NUL goto :EOF
All reg keys can be if you know your way around reg load / unload I would advise against modding any offline services, tho. I've had BSOD failures on first boot trying to mess with those.
I have done a little work with Win 7 & 8.1 mounted REG entries. I may give it a go. Just tested the script out. It's beautiful. Thank you very much.
yes I removed defender from install.wim , but had some strange things happen in task scheduler, it would crash, or complain about the task not running, seemed removing defender made things a bit unsetlled so I figured it was not worth it to totally remove it
I haven't tried messing with taskchd stuff, but I know the get-windowsupdates powershell command won't run without the appropriate dll from the defender directory. You could probably go through and replace the files you need, but if you're going to do all that, why not just leave it there and disable it, right?
Because we suspect defender is deleting files either during or immediately after install. Do you know if defender runs during install or not? Because if not, and it only runs after install, then running your script as the first thing you do after install should fix the problem. I second the nice script sentiment.
so as you know in 10, there is an option under defender settings that states something like we will turn this back on after a while if it is turned off, does your script take that into account? thanks
Well, I believe it starts the various services during the first reboot portion of setup. Since defender runs as a service, it likely starts there. Whether it actually blocks stuff during oobe or setupcomplete, I really don't know. I've never actually tried to get it to run anything that I knew the default definitions would block.
That's only for the settings app thing. This reg key is for group policy disable, which won't turn itself back on.
Thought I would have a go at using DISM to remove Defender. using the install_wim_tweak.exe I got the package names. Pulled out the Defender names. I have a nice DISM folder structure which has served me well in Win 7 and Win 8. So inside of Win 100 I mount my install.wim then I run this command Code: DISM /Image:%~dp0mount /Remove-Package /PackageName:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 DISM /Image:%~dp0mount /Remove-Package /PackageName:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~en-GB~10.0.10240.16384 DISM /Image:%~dp0mount /Remove-Package /PackageName:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 DISM /Image:%~dp0mount /Remove-Package /PackageName:Windows-Defender-Client-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.10240.16384 DISM /Image:%~dp0mount /Remove-Package /PackageName:Windows-Defender-Client-WOW64-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 DISM /Image:%~dp0mount /Remove-Package /PackageName:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~en-GB~10.0.10240.16384 DISM /Image:%~dp0mount /Remove-Package /PackageName:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.10240.16384 All I get is error say Access Denied. or similar. the .cmd is RAN AS ADMIN. Cant see where I am going wrong. ( which probably means I am doing summet so silly I cant see it ) Any tips ?
Yes cheers for that info.. I will give it a go.. but... Regarding what I was doing. Is it totally wrong or what ?
Yep, in my tests to write the En/Disable script from my sig i found DISM highly uneffective in removing the packages, whereas that ingenious new little EXE did it flawlessly. The creators did an amazing job here . Reminds me to offer manual un/hide and Remove in next version .
running that .exe shows me it is "taking ownership" I am guessing I would have to do that for the DISM to work. It looks pretty good though. I just copied the .exe in Sytems32 and ran this little .cmd in my DISM folder Code: install_wim_tweak.exe /p %~dp0mount /c Windows-Defender /r cheers..
Well I ran the .exe as stated. It all looked good. I have just done a fresh install and Defender was still working. DAMN. DAMN.DAMN I have just realised what an idiot I am and what the mistake is. I mounted the install.wim. Run the .exe. Then I copid the install.wim to my USB.. I DID NOT UNMOUNT THE install.wim and COMMIT the changes.... WHAT AN IDIOT....... Right I will do it again...