Enable or Disable Windows Defender Using Shortcut or Command-line

Windows Defender, the built-in anti-virus program in Windows, has useful features such as cloud-based protection, offline scanning, limited periodic scanning, tamper protection, controlled folder access, etc.

Almost every aspect of Windows Defender can be managed or automated using the MpCmdrun.exe command-line tool and PowerShell cmdlets. There are times when you need to temporarily disable your Windows Defender real-time protection on your test (non-production) systems and switch it back on after a few minutes.

You may prefer a single-click shortcut or script solution because of the following reasons:

  1. It takes several mouse clicks to turn off/on the Windows Defender real-time protection through the user interface.
  2. The Turn off Microsoft Defender Antivirus Group Policy setting or its equivalent registry setting DisableAntiSpyware = 1 would require rebooting the computer.
  3. Microsoft has discontinued the DisableAntiSpyware policy/registry setting in Microsoft Defender Antimalware platform versions 4.18.2007.8 and higher. DisableAntiSpyware no longer works!

hand point iconThis post explains how to enable or disable Windows Defender in a single click using desktop shortcuts or command-line without requiring a restart.

Enable or disable Windows Defender using Shortcut or Command-line

Method 1: Turn off the Microsoft Defender service completely

March 2022 Update: Method 1 doesn’t seem to work in the latest Windows 10 build 10.0.19044.1586 (21H2) despite running the script as TrustedInstaller. It throws up error 2, which means “The user did not have the necessary access.”

I’ll do more testing and see if a workaround is available.

This method turns off the Microsoft (Windows) Defender service altogether, which means every component of Windows Defender (including the real-time protection, Microsoft Defender Antivirus Network Inspection Service, cloud-based protection, limited periodic scanning, tamper protection, controlled folder access, etc.,)

This method works even if the Tamper Protection setting is enabled in the Windows Defender user interface. The Microsoft Defender Antivirus Service can be turned off only by a process running under the TrustedInstaller account.

  1. Download AdvancedRun from the following page at Nirsoft’s site.
    https://www.nirsoft.net/utils/advanced_run.html

    (AdvancedRun from Nirsoft is a program that lets you launch apps as TrustedInstaller or LocalSystem, as we’ve seen in the article How to Run Programs as TrustedInstaller.)

  2. Extract the executable AdvancedRun.exe to a permanent folder — let’s say D:\Tools.
  3. Create a Windows script file containing the following lines of code. To create a script file (.vbs), use Notepad.
    'Description: Script to disable the Microsoft Defender Antivirus service
    
    Set ServiceSet = GetObject("winmgmts:").ExecQuery _
    ("select * from Win32_Service where Name='WinDefend'")
    For Each Service In ServiceSet
       RetVal = Service.StopService() 
       If RetVal <> 0 Then 
          MsgBox "Error " & RetVal
       End If
       Service.ChangeStartMode("Manual")
    Next
  4. Save the script file as disable_defender.vbs in the D:\Tools folder.
  5. From the Run dialog, run the following command-line to disable Windows Defender altogether:
    advancedrun command-line to disable defender

    D:\Tools\AdvancedRun.exe /EXEFilename "%windir%\system32\wscript.exe" /CommandLine '"D:\Tools\disable-defender.vbs"' /RunAs 8 /Run

    (Optionally, you can create a desktop shortcut to the above command.)

That disables Microsoft Defender Antivirus Service & Microsoft Defender Antivirus Network Inspection Service.

windows defender disable notification action center

virus protection disabled warning - defender

You may also see the following message when opening the Windows Security “Security at a glance” page.

Page not available

Your IT administrator has limited access to some areas of this app, and the item you tried to access is not available. Contact IT helpdesk for more information.

Editor’s note: If your PC is used by multiple users, you also need to make sure that the script file is saved in a secure location so that it can’t be tampered with by other users. Use NTFS permissions accordingly to secure the file.

How to Enable and Start Microsoft Defender?

To enable and start Microsoft Defender Antivirus Service and Microsoft Defender Antivirus Network Inspection Service back, follow these steps:

Create another script file named enable-defender.vbs with the following contents:

'Description: Script to enable the Microsoft Defender Antivirus service

Set ServiceSet = GetObject("winmgmts:").ExecQuery _
("select * from Win32_Service where Name='WinDefend'")
For Each Service In ServiceSet
   Service.ChangeStartMode("Automatic")
   RetVal = Service.StartService()    
   If RetVal <> 0 Then 
      MsgBox "Error " & RetVal
   End If
Next

Then launch the script as TrustedInstaller, using the following AdvancedRun command-line:

D:\Tools\AdvancedRun.exe /EXEFilename "%windir%\system32\wscript.exe" /CommandLine '"D:\Tools\enable-defender.vbs"' /RunAs 8 /Run

You can create separate desktop shortcuts to the above commands to quickly enable or disable the Microsoft Defender Antivirus service.

windows defender enable or disable using shortcut command-line

(An alternative tool/method to enable/disable Microsoft Defender is Defender Control app from Sordum.)


Note: Methods 2 and 3 below don’t work if the Tamper Protection feature is enabled in Windows Defender Settings. Tamper Protection prevents third-party apps or scripts from modifying Windows Defender settings. The feature was first introduced in Windows 10 v1903 (19H1).




Method 2: Shortcuts to enable and disable Defender real-time protection

You can disable Windows Defender real-time protection using this PowerShell command:

powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"

After you run the above command from an elevated Command Prompt or Run dialog (elevated), it disables the real-time protection component of Windows Defender. Following that, you’ll immediately see the “Virus & threat protection” action center notification.

windows defender disable notification action center

windows defender enable or disable using shortcut command-line

And to enable the real-time protection back, use this command-line:

powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $false"

windows defender enable or disable using shortcut command-line

The above commands need to be run elevated (run as administrator).

windows defender enable or disable using shortcut command-lineYou can create separate desktop shortcuts to the above commands and run them as required. Make sure you run the shortcut using the Run as administrator option in the right-click menu. Alternately, you can configure the shortcut properties so that they run elevated every time.


Method 3: PowerShell script (.ps1) to toggle Defender real-time protection

This method uses a simple PowerShell script, which, when run, toggles the Windows Defender real-time protection setting. If it’s turned off, the script turns it back on, and vice versa. So, you’ll need just one shortcut if using this method.

  1. Copy the following lines to Notepad:
    $preferences = Get-MpPreference
    Set-MpPreference -DisableRealtimeMonitoring (!$preferences.DisableRealtimeMonitoring)

    defender real-time toggle powershell script .ps1

  2. Save the file with a .ps1 extension in a permanent location. Let’s say d:\tools\defender-realtime-toggle.ps1
  3. Create a desktop shortcut with the following command:
    powershell.exe -ExecutionPolicy Bypass -File "D:\Tools\defender-realtime-toggle.ps1"

That’s it! As always, whenever you plan to run the shortcut/script, you need to run it elevated (run as administrator.)

Other PowerShell cmdlets to manage Windows Defender

To know the complete list of PowerShell cmdlets for managing Windows Defender, check out the Microsoft docs article on Defender-specific PowerShell cmdlets.

We’ve seen PowerShell’s Defender-specific cmdlets earlier in our earlier articles mentioned below:

  1. What is Controlled Folder Access in Windows 10, and How to Configure it?
  2. Enable or Disable “Controlled Folder Access” Quickly Using Shortcuts
  3. How to Enable PUA, PUP, or Adware Protection in Windows Defender?
  4. Windows Defender Offline Scan in Windows 10 Eliminates Complex Malware

I hope you liked the shortcut or command-line method to enable and disable Windows Defender real-time protection on your computer.

(This article was last updated on April 7, 2022. Tested on Windows 10 Version 21H2 Build 19044.1466 and Windows 11 Version 21H2 Build 22000.438. The steps listed under “Method 1” don’t work on Windows 10 21H2 Build 10.0.19044.1586. The script throws up “Error 2”.)


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

12 thoughts on “Enable or Disable Windows Defender Using Shortcut or Command-line”

  1. im wondering if you can somehow run/create a shortcut from c sharp app, maybe theres other ways to run that command with advancedRun and with trusted installer rights from cmd/powershell? is there other programs that could allow to execute commands with trustedinstaller rights from command prompt?

    Reply
    • @jerry: You’re using the wrong command-line. If you;re running it interactively, then remove the /RunAs 8 /Run part. Instead, choose TrustedInstaller in the “Run As” list box.

      To run it via command-line, use:

      AdvancedRun.exe /EXEFilename "%windir%\system32\wscript.exe" /CommandLine '"D:\Tools\disable-defender.vbs"' /RunAs 8 /Run

    • @Ramad: Error 2 means “The user did not have the necessary access.”

      I can confirm that this error occurs in the latest Windows 10 build 10.0.19044.1586 (21H2) despite running the script as TrustedInstaller.

  2. HI, I’m not a programmer. Many times I needed to temporarily disabling defender on a few computers, which is tedious. Can/would you convert your scripts to be used in a Portable fashion on a thumb drive, that would be so convenient?

    Reply
  3. With administrator, system or TrustedInstaller rights you won’t stop anymore, but you will stop by stealing a token and impersonating the corresponding group ACL. Windows Defender is getting better and better protected, but the stopping techniques are moving a step ahead. Shutdown is a completely different thing we are talking about stopping and unloading the associated drivers from memory and loading them on demand (the equivalent of net stop windefend). In future systems they may protect certain PIDs, then you will have to write a loader under UEFI and also it can be done, even despite the SecureBoot flag
    There is a lot of undocumented code and popped ntdll.h on the exploit forums. After careful analysis, you can create any tool you want
    Take a look:
    https://forums.mydigitallife.net/threads/stopping-and-starting-the-windows-defender-service-on-demand.86948/

    Reply

Leave a Reply