If you ever used windows server you may have noticed that in the add/remove features dialog, unlike in user windows editions you actually can uninstall Windows Defender, and this is done right, that is it only removes the Malicious part of WD (the one which always deletes your important files without asking), and leaves other security center options intact. Run the script as SYSTEM or better TrustedInstaller,... yea this is a proof of concept script not a final polished easy to use utility. Usage RemoveWD.cmd path_to_windows_root where path_to_windows_root is the path you have mounted the WIM file to or the drive letter of an offline windows installation. and after it looks like this: All the actually useful things are there, only the Malicious part is gone, and bonus extra, it wont load useless WD updates from windows update anymore eider. One thing to keep in mind though is that when you run an full upgrade i.e. windows gets reinstalled WD will come back and will need to be removed again. FYI: this script was created by diffing a fresh server image with one on which "Dism /Disable-Feature /FeatureName:Windows-Defender /Remove" was run. BTW: It also seam to work on windows 11 just fine.
I'm not a fan of unfinished scripts - it's easy to say run as system, but it's not something trivial and it's a vector for infection for people searching online for binaries providing it. You could incorporate runasti snippet for example. I'm not a fan of brute-force when it comes to removing components. Under windows 10 you can gracefully uninstall defender on a live system - see this and this - no need for offline booting crap. Code: @(echo off% <#%) &color 07 &title UNINSTALL DEFENDER W10 set "0=%~f0" &set "1=%~f1"&set "2=%~2"& powershell -nop -c iex ([io.file]::ReadAllText($env:0)) &exit/b ||#>)[1] $_Paste_in_Powershell = { $uninstall = 'Windows-Defender-Client-Package' $packages = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages' $found = split-path -leaf (reg query $packages.replace(':','') /f $uninstall | findstr HKEY) $found function reg_own { param ( $key, $recurse='', $user='S-1-5-32-544', $owner='', $acc='Allow', $perm='FullControl', [switch]$list ) $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ember"('SetPrivilege',42)[0]; $u=$user; $o=$owner; $p=524288 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @("$_",2))} $reg=$key-split':?\\',2; $key=$reg-join'\'; $HK=gi -lit Registry::$($reg[0]) -force; $re=$recurse; $in=(1,0)[$re-eq'Inherit'] $own=$o-eq''; if($own){$o=$u}; $sid=[Security.Principal.SecurityIdentifier]; $w='S-1-1-0',$u,$o |% {new-object $sid($_)} $r=($w[0],$p,1,0,0),($w[1],$perm,1,0,$acc) |% {new-object Security.AccessControl.RegistryAccessRule($_)}; function _own($k,$l) { $t=$HK.OpenSubKey($k,2,'TakeOwnership'); if($t) { try {$n=$t.GetAccessControl(4)} catch {$n=$HK.GetAccessControl(4)} $u=$n.GetOwner($sid); if($own-and $u) {$w[2]=$u}; $n.SetOwner($w[0]); $t.SetAccessControl($n); $d=$HK.GetAccessControl(2) $c=$HK.OpenSubKey($k,2,'ChangePermissions'); $b=$c.GetAccessControl(2); $d.RemoveAccessRuleAll($r[1]); $d.ResetAccessRule($r[0]) $c.SetAccessControl($d); if($re-ne'') {$sk=$HK.OpenSubKey($k).GetSubKeyNames(); foreach($i in $sk) {_own "$k\$i" $false}} if($re-ne'') {$b.SetAccessRuleProtection($in,1)}; $b.ResetAccessRule($r[1]); if($re-eq'Delete') {$b.RemoveAccessRuleAll($r[1])} $c.SetAccessControl($b); $b,$n |% {$_.SetOwner($w[2])}; $t.SetAccessControl($n)}; if($l) {return $b|fl} }; _own $reg[1] $list } foreach ($item in $found) { reg_own "$packages\$item" -recurse Replace -user 'S-1-1-0' set-itemproperty -Path "$packages\$item" -Name "Visibility" -Value 1 remove-item -Path "$packages\$item\Owners"; $item remove-windowspackage -Online -PackageName "$item" -NoRestart } shutdown /r /t 0 } ; start -verb runas powershell -args "-nop -c & {`n`n$($_Paste_in_Powershell-replace'"','\"')}" $_Press_Enter You just paste that in powershell under windows 10 - and BAM! The only challenge is doing something alike under windows 11
Copied parts of the script And explain you it can broke Wu "This specific lines ..." And you say my code is broken Ok .... Fine ..
By design you can't prevent the core Defender package (or Edge for that matter) to be re-applied by new build and/or LCU - because these are hidden sub-components of the main edition marked Critical ( remove = BSOD / automatic repair loop ). But there's always a way, you just have to dig deeper PS talking about live systems and windows update, not pre-butchered media and custom updaters
@DavidXanatos Do you have a script to revert all changes made ? Anyway I do like the idea of removing the "malicious side" of it
Sorry, I didn't know you copied it from OP. Yes, the script will break WU if you run it as TrustedInstaller. Running it as System is ok.
I said removed this service & files break some updates. You can feel it well in LTSC edition it not matter how you removed them, with System / ? / ? ....
No my dear friend . Firewall is a mandatory need for your OS to work only firewal dependent services could be disabled .