Defender Control

A professional PowerShell WPF utility to comprehensively disable or re-enable Microsoft Defender on Windows 10/11. Dark-themed GUI with fully async operations, detailed logging, and complete reversibility.

Why This Exists

Sometimes you need Defender completely out of the way — deploying custom imaging software, running legacy tools that trigger false positives, benchmarking without AV overhead, or configuring kiosk systems. The built-in Windows UI only lets you temporarily disable real-time protection, and it re-enables itself within minutes.

Defender Control performs a thorough multi-phase disable that persists across reboots by targeting preferences, group policy registry keys, services, scheduled tasks, PPL flags, and more. Everything is fully reversible with a single click.

Windows Firewall is completely untouched. This tool only manages Defender antivirus components. Starting in v3.2.0, this guarantee is machine-checked: every Disable/Enable run snapshots Get-NetFirewallProfile and the mpssvc/BFE service state before the first change and verifies it after the last change. Any divergence is logged as an error.

Features

• 10-Phase Disable — Preferences, group policy, notifications, scheduled tasks, services, PPL flags, context menus, SmartScreen, and process termination
• 7-Phase Enable — Full restoration to Windows defaults with signature update and verification
• Fully Async GUI — All operations run in background runspaces; the window never freezes
• 4-Level Permission Escalation — Direct write → .NET handle with ownership → reg.exe → SYSTEM scheduled task
• PPL Flag Stripping — Removes Protected Process Light from Defender services so they don't survive reboot
• System Restore Point — Automatically created before disabling for easy rollback
• Dry Run Mode — Simulate the entire operation without making any changes
• Verbose Toggle — Filter log output between important-only and full diagnostic detail
• Export Log — Save the full operation log to a text file for troubleshooting or documentation
• Reboot Button — Appears after operations that need a restart
• OS Build Awareness — Detects Win10/11, warns on deprecated GP keys (Win11 22H2+), blocks unsupported versions
• Self-Elevation — Automatically requests Administrator via UAC
• Orphan Cleanup — Removes leftover scheduled tasks from interrupted previous runs
• Firewall Integrity Guard — Snapshots firewall profile state + mpssvc/BFE service state before Phase 1; verifies no divergence after Phase 10
• Third-Party AV Pre-Flight — Warns via Security Center WMI when no non-Microsoft AV is registered before disabling
• Undo / Audit Manifest — Every Disable/Enable writes a JSON audit record to %ProgramData%\DefenderControl\manifests\; view with -Mode Manifest

Requirements

Usage

Quick Start

1. Download DefenderControl.ps1
2. Right-click → Run with PowerShell (or it will self-elevate)
3. Disable Tamper Protection first if you haven't already
4. Click Disable Defender or Enable Defender
5. Reboot when prompted

Tamper Protection

For the disable operation to fully persist, Tamper Protection must be turned off manually — Microsoft does not allow programmatic control of this setting.

Windows Security → Virus & Threat Protection → Manage Settings → Tamper Protection → Off

The tool detects Tamper Protection status and warns you if it's still on. Operations will still run, but Windows will silently revert many registry changes.

Dry Run Mode

Check the Dry Run checkbox before clicking Disable or Enable. The tool will log exactly what it would do without making any changes. Useful for auditing or understanding the scope before committing.

Command Line

# Launch the WPF GUI
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1"

# Print current Defender state
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Mode Status

# Extended state: services + PPL + scheduled tasks + policy keys + third-party AV
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Mode Health

# Emit stable JSON for automation pipelines
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Mode Health -Json

# Show CLI usage
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Help

Exit codes: 0 success, 1 partial, 2 blocked by Tamper Protection, 3 Safe Mode required, 4 usage / OS error, 5 verification failure.

-Mode Disable and -Mode Enable are reserved — use the GUI for mutating operations. Read-only Status / Health / Verify / Manifest modes are CLI-safe.

Note on elevation: all CLI modes require Administrator privileges. If you invoke the script from a non-elevated shell, it re-launches in a new UAC-elevated window and the CLI output appears there, not in your calling shell. For automation pipelines, elevate the calling shell once (Start-Process powershell -Verb RunAs) and then invoke the script normally so stdout/stderr return to the caller.

Verify Mode

# Assert Defender is fully enabled (exit 0 PASS, exit 5 FAIL, exit 2 if Tamper blocked)
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Mode Verify -Expect Enabled

# Assert Defender is fully disabled after a Disable run
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Mode Verify -Expect Disabled

# Opt-in synthetic detection test (writes a harmless EICAR test file, waits 2.5s, cleans up)
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Mode Verify -Expect Enabled -Eicar -Force

# JSON shape for automation: { expectation, overall, failCount, checks[] }
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Mode Verify -Json

Undo / Audit Manifests

Every Disable and Enable run writes a JSON audit manifest to %ProgramData%\DefenderControl\manifests\<operation>-<timestamp>.json with firewall before/after snapshots, third-party AV detection, and the list of phases that ran. View the latest:

powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Mode Manifest
powershell.exe -ExecutionPolicy Bypass -File "DefenderControl.ps1" -Mode Manifest -Json

What It Does

Disable Operation (10 Phases)

Enable Operation (7 Phases)

What It Does NOT Do

• Does not touch Windows Firewall
• Does not delete Defender binaries or Windows components
• Does not modify boot configuration or safe mode settings
• Does not disable Windows Update
• All changes are fully reversible via the Enable button or System Restore

Permission Escalation

Defender service registry keys (WinDefend, WdFilter, etc.) are protected even from Administrators. The tool uses a 4-level escalation chain:

1. Direct write via Set-ItemProperty — works for unprotected keys
2. Take ownership + .NET handle — P/Invoke SeTakeOwnershipPrivilege, set owner to Administrators SID, grant FullControl, write via RegistryKey.SetValue()
3. reg.exe — Command-line registry editor sometimes bypasses PowerShell permission constraints
4. SYSTEM scheduled task — Creates a one-shot task running as SYSTEM to execute reg.exe add, verifies the write, then cleans up

The log shows exactly which method succeeded for each key.

Known Limitations

• MsMpEng.exe (Antimalware Service Executable) runs as a Protected Process Light (PPL) and cannot be killed in the current session. Once services are disabled and PPL flags are stripped, it will not restart after reboot.

• Tamper Protection will silently revert registry changes if left on. The tool detects this and warns you, but cannot programmatically disable it.

• Windows Home editions lack Group Policy support. Phase 4 registry keys will still be written but may have reduced effectiveness.

• Checkpoint-Computer (System Restore) is throttled to one restore point per 24 hours by Windows. If one was created recently, the tool logs a warning and continues.

• Some heavily locked service keys may resist all 4 escalation methods. In this case, the only remaining option is Safe Mode, which is outside the scope of this tool.

Log Colors

License

MIT License — see LICENSE for details.

Disclaimer

This tool is intended for system administrators, IT professionals, and power users who understand the security implications of disabling endpoint protection. Disabling Defender leaves your system vulnerable to malware.

Use at your own risk. Always ensure you have alternative security measures in place when Defender is disabled.