Step 1: Disable Real-time monitoring immediately to minimize current runtime memory resource utilization
Set-MpPreference -DisableRealtimeMonitoring $true
Step 2: Remove Windows Defender
# This works well on Server OS
Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
# Uninstall-WindowsFeature -Name Windows-Defender # Alternate command
# This only works on Client OS, not Server OS
$winDefendHive='REGISTRY::HKLM\SOFTWARE\Policies\Microsoft\Windows Defender'
$keyName='DisableAntiSpyware'
$disableValue=1
New-ItemProperty -Path $winDefendHive -Name $keyName -Value $disableValue -PropertyType DWORD -Force
# This error would occurs because Windows Defender on servers do not have this registry hive
New-ItemProperty : Cannot find path 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' because it does not exist.
At line:1 char:1
+ New-ItemProperty -Path 'REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Policie ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (HKEY_LOCAL_MACH...indows Defender:String) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropertyCommand
Alternative Method: Disable WinDefend via local GPO
Run gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus >
set Turn off Windows Defender Antivirus = Enabled, Turn off real time protection = Disabled > close gpedit > run ‘gpupdate /force’
Other Commands:
# How to add permissions to WinDefend Registry hive
$winDefenderKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Services\WinDefend",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $winDefenderKey.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("Builtin\Administrators","FullControl","ContainerInherit","None","Allow")
$acl.AddAccessRule($rule)
$winDefenderKey.SetAccessControl($acl)
# How to set the startup type of the Windows Defender's service to "Automatic"
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend -Name Start -Value 0x00000002
# How to set Windows Defender's service to disable on startup
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend -Name Start -Value 0x00000003
# Check WinDefend settings
Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated
# Kill WinDefend using the old-school DISM tool
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
# Example on uninstallation of AV and WinDefend - to be followed up with Installating a new AV
$computernames=@(
'SERVER0001',
'SERVER0002',
'SERVER0003'
)
$installFile='C:\Temp\xdr6.1.1.msi'
$uninstallPassword='UNINSTALLPASSWORD'
foreach ($computername in $computernames){
copy-item $installFile -destination "\\$computername\c$\Temp"
$localInstallFile="C:\Temp\$(split-path $installFile -leaf)"
invoke-command -computername $computername -scriptblock{
param($installFile,$uninstallPassword,$logFolder)
# Uninstall Old AV $uninstallLogFile="C:\Temp\$env:computername`_uninstallLogFile.txt"
msiexec.exe /x $installFile /l*v $uninstallLogFile UNINSTALL_PASSWORD=$uninstallPassword
# b. Remove/Disable Windows Defender:
Set-MpPreference -DisableRealtimeMonitoring $true
Uninstall-WindowsFeature -Name Windows-Defender
# Restart-Computer
} -args $localInstallFile,$uninstallPassword
}
Categories: