Advice Request Disable Microsoft Defender on Windows 11

Please provide comments and solutions that are helpful to the author of this topic.
R

rashmi

Level 27
Thread author
Verified
Jan 15, 2024
1,605
1
3,685
2,568
I disable Microsoft Defender on Windows 11 Pro with Sordum's DefenderControl, which works well for me, though the developer discontinued it. I found the following solution on a blog, which, according to some, works.

@Andy Ful, Do you know this solution, and do these registry tweaks work? I thought to confirm with you or get your insight before performing these tweaks.

Step 1
Boot in safe mode:
Press Windows key + R to open the run dialog
Type msconfig and press enter
Select the boot tab
Under Boot options enable “Safe boot“
Press Ok and restart your computer

Step 2
Enter registry:
Press Windows key + R
Type regedit <enter> to open the registry
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service
Change the following folders the key Start to 4
Sense
WdBoot
WdFilter
WdNisDrv
WdNisSvc
WinDefend

Step 3
Follow step 1 to reboot Windows back to normal mode.

Restore the values to reenable Microsoft Defender.
HKLM\SYSTEM\CurrentControlSet\Services\Sense\Start 3
HKLM\SYSTEM\CurrentControlSet\Services\WdBoot\Start 0
HKLM\SYSTEM\CurrentControlSet\Services\WdFilter\Start 0
HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv\Start 3
HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc\Start 3
HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\Start 2
Click to expand...
 
Last edited:
  • Like
  • Wow
Reactions: piquiteco, Zero Knowledge, EASTER and 2 others
rashmi said:
I disable Microsoft Defender on Windows 11 Pro with Sordum's DefenderControl, which works well for me, though the developer discontinued it. I found the following solution on a blog, which, according to some, works.

@Andy Ful, Do you know this solution, and do these registry tweaks work? I thought to confirm with you or get your insight before performing these tweaks.
Click to expand...
I am not @Andy Ful, but I can explain what those tweaks do and what you can realistically expect from them on Windows 11 Pro.

1. What these registry tweaks actually do

The keys you listed are service start types:

  • HKLM\SYSTEM\CurrentControlSet\Services\Sense – Microsoft Defender Advanced Threat Protection / EDR sensor
  • HKLM\SYSTEM\CurrentControlSet\Services\WdBoot – Defender boot-time driver
  • HKLM\SYSTEM\CurrentControlSet\Services\WdFilter – Defender minifilter driver (real‑time protection)
  • HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv – Network Inspection System driver
  • HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc – Network Inspection System service
  • HKLM\SYSTEM\CurrentControlSet\Services\WinDefend – Main Microsoft Defender Antivirus service

The Start value controls how a service/driver starts:

  • 0 = Boot
  • 1 = System
  • 2 = Automatic
  • 3 = Manual
  • 4 = Disabled

So the blog is essentially telling you to:

  • Boot into Safe Mode (to bypass Defender self‑protection)
  • Set each of the above Start values to 4 (disabled)
  • Reboot normally so that Defender’s drivers and services never start

That is a “hard” disable at the service/driver level, not just via the Windows Security GUI.

2. Do these tweaks work on Windows 11?

Technically, on many current Windows 10/11 builds:

  • Setting those Start values to 4 in Safe Mode does prevent those specific Defender services/drivers from loading on next normal boot.
  • The corresponding “Restore” values you posted match the typical defaults (Boot/Auto/Manual) and should re‑enable them if nothing else has changed.

However, there are important caveats:

  • Microsoft can and does change Defender and its services across builds. A tweak that works today may stop working or behave differently after a feature update.
  • Tamper Protection and other integrity mechanisms can sometimes revert or block changes, especially if you try it in normal mode. Safe Mode usually bypasses this, but that’s not guaranteed forever.
  • Cumulative / feature updates can silently restore or replace service definitions, which may partially or fully re‑enable Defender even if your Start values were set to 4.
  • Windows Security app will likely complain / show errors because its core services are missing or disabled.

So:

Yes, these values are logically consistent and have been observed to work on some Windows 11 systems, but there is no guarantee they will:
  • work on every current build, or
  • continue to work after future updates.

As an AI, I can’t test your exact build or confirm behavior on your machine.

3. Risks and things to be aware of

If you decide to try this:

  • Back up first:
    • Create a System Restore point.
    • Export the entire HKLM\SYSTEM\CurrentControlSet\Services\ branch or at least each edited key.
  • A typo in Services keys (especially boot/start drivers) can lead to boot issues.
  • Defender being fully disabled means:
    • No built‑in real‑time AV if your third‑party solution fails, expires, or is uninstalled.
    • Potential compatibility complaints from Windows Security / some Microsoft tools.
  • Future major upgrades (e.g. 23H2 → 24H2, etc.) might:
    • Recreate or reset some of these values.
    • Fail or show warnings if they detect “tampered” security components (not very common, but possible).

4. Compared to Sordum’s DefenderControl

DefenderControl (and similar tools) typically do some combination of:

  • Service start‑type changes
  • Related policy / registry settings
  • Task / permission tweaks

So what you found is basically a “manual” version of what such tools do under the hood. The main downside is:

  • You are now responsible for getting every value exactly right.
  • There is no convenient “one click restore” if you forget the defaults or something changes in a future build.

If DefenderControl still works reliably for you on your current build, there is no strong practical advantage to switching to this manual method, aside from not depending on a discontinued tool.

5. About @andy Ful’s specific opinion

For @andy Ful’s exact view, you’ll need to wait for his reply in the thread. He knows Defender’s internals and policies better than most and may have:

  • Additional insight on how this interacts with current/future Windows 11 builds.
  • Safer or cleaner methods (e.g. through policies or his own tools) depending on your setup.

Summary

  • The registry tweaks you posted are technically sound in principle and have been reported to work on some Windows 11 systems.
  • They hard‑disable Defender services/drivers by setting their Start values to 4.
  • They are not future‑proof, may be reverted by updates, and carry the usual risks of low‑level service edits.
  • If you try them, do it only in Safe Mode, with full backups and a clear plan to restore the exact default values.

If you share your exact Windows 11 version/build and whether you run a third‑party AV alongside, I can suggest a more tailored “Defender off” approach that’s less brittle than raw service hacking.
 
  • Like
Reactions: TairikuOkami and rashmi
rashmi said:
I want to disable Microsoft Defender permanently. Windows 11 version/build 25H2 26200.7171.
Click to expand...
On current Windows 11 builds (including 25H2), there is no 100% “permanent forever” way to disable Defender – Microsoft can always change behavior with updates. But the registry method you quoted is essentially a hard disable of Defender’s core services and is one of the strongest approaches available right now, with some important caveats.

1. Your build: Windows 11 25H2 26200.7171

26200.7171 is a 25H2 build (preview/insider territory). That means:

  • The core Defender services (WinDefend, WdFilter, etc.) still exist and still use the Start values you mentioned.
  • Microsoft can change their behavior at any time in updates, so anything that works now might partially/fully break later.
  • I cannot test this exact build, so I can only base the answer on how these services normally behave in recent 23H2/24H2/25H2 builds.

2. Do those specific tweaks work in principle?

The method:

  • Editing in Safe Mode
  • Setting Start = 4 (Disabled) for:
    • Sense
    • WdBoot
    • WdFilter
    • WdNisDrv
    • WdNisSvc
    • WinDefend

…is a valid and commonly used way to stop Defender’s core antivirus and related components from loading at boot. On many Windows 10/11 builds, this will:

  • Prevent real‑time AV (minifilter + boot driver) from loading.
  • Disable NIS (network inspection) parts.
  • Stop the main Defender AV service and ATP/EDR sensor.

The “restore” values you posted:

  • Sense\Start = 3
  • WdBoot\Start = 0
  • WdFilter\Start = 0
  • WdNisDrv\Start = 3
  • WdNisSvc\Start = 3
  • WinDefend\Start = 2

…match the usual defaults and should re‑enable Defender if Microsoft hasn’t altered something in your specific build.

So: yes, conceptually this is sound and is likely to work on 25H2 as well, but I cannot guarantee behavior on your exact build or after future updates.

3. Important limitations and risks

Before you go this route, be aware:

  • No method is truly permanent
    • Feature upgrades (e.g. 25H2 → future builds) may recreate or reset service configs.
    • Defender components can be re‑installed or replaced by Windows updates.
  • Tamper Protection
    • If Tamper Protection is ON, Defender will try to block or revert hostile changes.
    • Safe Mode usually bypasses it, but behavior can change between builds.
  • Windows Security app issues
    • With services disabled, the Windows Security UI will show errors / “Security at a glance” complaints.
    • Some Windows features expecting Defender may behave oddly or show warnings.
  • Security gap
    • If you don’t have a third‑party AV installed, you will have no real‑time AV at all.
    • If your third‑party AV fails, expires, or is uninstalled, Defender will not automatically step back in if you’ve hard‑disabled it this way.
  • Registry editing risk
    • A typo in Services keys (especially drivers with Start=0/1) can cause boot problems.
    • You must be very precise, and you must have a way back.

4. If you still want a “hard disable” (registry method)

If you are comfortable with the above and still want to do it, I’d treat this as a “strong but not future‑proof” solution:

  1. Make backups first
    • Create a System Restore point (rstrui.exe / System Protection).
    • In regedit, export each of these keys before editing:
      • HKLM\SYSTEM\CurrentControlSet\Services\Sense
      • HKLM\SYSTEM\CurrentControlSet\Services\WdBoot
      • HKLM\SYSTEM\CurrentControlSet\Services\WdFilter
      • HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv
      • HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc
      • HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
  2. Turn off Tamper Protection (if possible)
    • In normal mode, open Windows SecurityVirus & threat protectionManage settings.
    • Turn Tamper Protection to Off (if it’s there).
  3. Boot into Safe Mode
    • Press Win + Rmsconfig → [Enter].
    • On Boot tab, check Safe boot → [OK] → reboot.
  4. Edit the Start values
    • Press Win + Rregedit → [Enter].
    • Go to each key:
      • HKLM\SYSTEM\CurrentControlSet\Services\Sense
      • HKLM\SYSTEM\CurrentControlSet\Services\WdBoot
      • HKLM\SYSTEM\CurrentControlSet\Services\WdFilter
      • HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv
      • HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc
      • HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
    • In each, set Start (DWORD) to 4.
  5. Return to normal boot
    • Run msconfig again in Safe Mode.
    • Uncheck Safe boot → [OK] → reboot.
  6. Verify
    • Check Task Manager → Services, and Event Viewer for Defender‑related entries.
    • Windows Security should show errors/“managed by your organization” / missing components – that’s actually expected in this case.

To re‑enable, boot in Safe Mode again and restore the Start values you listed (or import the .reg backups you made).

5. Cleaner alternative if you use a third‑party AV

If you always plan to run another AV, there is a less “brutal” approach:

  • Install a reputable third‑party AV (ESET, Kaspersky, Bitdefender, etc.).
  • Let it register with the Security Center. Defender will typically go into passive or disabled real‑time mode.
  • In Windows Security → Virus & threat protection → Microsoft Defender Antivirus options, turn off Periodic scanning so it doesn’t run scheduled scans.
  • Optionally, in gpedit.msc (Windows 11 Pro):
    • Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus.
    • Set Turn off Microsoft Defender Antivirus = Enabled.

On newer Windows 11 builds, that Group Policy alone often does not fully disable Defender unless a third‑party AV is present, but combined with a third‑party AV it usually keeps Defender out of the way without hacking service start types.

6. Realistic expectations

  • Your registry method is one of the strongest ways to “kill” Defender, and it’s very similar to what tools like DefenderControl do under the hood.
  • It will most likely work on 25H2 26200.7171, but:
    • Feature updates can undo or change it.
    • Microsoft may add new related services/components that your tweak doesn’t touch.
  • Always keep:
    • System Restore enabled.
    • Exported .reg backups of every key you edit.
    • A bootable Windows 11 USB, in case you need to fix registry offline.

For @andy Ful’s specific view (and any interaction with his own tools / policies), it’s worth waiting for his reply in the thread, since he follows Defender behavior across versions very closely.

If you tell me whether you’ll be running a third‑party AV full‑time, I can suggest a more tailored combination (policy + UI + minimal registry) that reduces Defender’s footprint without relying only on service‑level “kills.”
 
  • Like
Reactions: rashmi
Sampei.Nihira said:
@Bot

I'm curious, with these registry changes, is Defender's Exploit Protection module enabled or disabled?
Click to expand...
Disabling those Defender services via the Start = 4 tweaks does not turn off the core Exploit protection mitigations in Windows.

1. What “Exploit protection” actually is

The Exploit protection page in Windows Security (App & browser control → Exploit protection) controls low‑level mitigations such as:

  • DEP
  • ASLR
  • Control Flow Guard (CFG)
  • SEHOP
  • Various heap / stack / image mitigations

These are implemented in the Windows kernel and via process mitigation policies, not in the WinDefend/WdFilter services. They remain active even if the Defender AV engine is disabled or removed.

So, with your registry changes:

  • Those system‑wide / per‑program exploit mitigations should still be applied.
  • The “Exploit protection” settings you see in the UI should still be in effect (unless you manually change them or import a different XML config).

2. What you do lose by disabling Defender services

Some things under the “Defender Exploit Guard” umbrella do depend on the Defender platform and services you’ve disabled:

  • Attack Surface Reduction (ASR) rules – these are implemented through Microsoft Defender Antivirus. With WinDefend and related components disabled, you should assume ASR rules are no longer enforced.
  • Network Protection (block outbound to malicious domains/IPs using SmartScreen/Defender intelligence) – typically tied to Defender’s platform; likely non‑functional in your configuration.
  • Controlled Folder Access – ransomware protection for protected folders; it is a Defender feature and normally requires the Defender engine/components.

I can’t test your exact build, but based on how these features are documented and normally behave, a “hard kill” of WinDefend, WdFilter, WdNis*, Sense will very likely stop ASR, Network Protection, and CFA from working.

3. Practical takeaway for your setup

With the registry tweaks you posted on 25H2:

  • Still active:
    • Core Exploit protection process mitigations (DEP, ASLR, CFG, etc.).
    • Other OS‑level mitigations unrelated to Defender AV.
  • Likely inactive / lost:
    • ASR rules.
    • Defender Network Protection.
    • Controlled Folder Access and other Defender‑specific hardening that rides on the AV platform.

So you’re not “naked” in terms of exploit mitigations; you’re mainly losing the Defender‑specific advanced protections that sit on top of the AV engine. If you rely on that kind of hardening, you’d need to replace it with third‑party tools or other OS features (e.g. custom Exploit protection XML configs, application whitelisting, etc.).
 
  • Like
Reactions: rashmi, Jonny Quest and Sampei.Nihira
Sampei.Nihira said:
@Bot

I thought so, thank you for confirming.
Click to expand...
You’re welcome.

If you later decide to keep Defender disabled long‑term, it can be worth:

  • Reviewing your Exploit protection settings (system and program-level) and exporting them as an XML backup.
  • Making sure you have a solid replacement for:
    • Real‑time AV
    • Network filtering / web protection
    • Ransomware protection (e.g. backups + possibly third‑party anti‑ransomware or HIPS)

If you share what other security software you run, I can suggest how to best complement it given that Defender (and its advanced features) are out of the picture.
 
  • Like
Reactions: rashmi
rashmi said:
Does this also affect tools like Sordum's DefenderControl?
Click to expand...
Yes – the same principle applies to tools like Sordum’s DefenderControl.

1. What feature upgrades do

During a major feature upgrade (or a big build jump), Windows can:

  • Recreate or update Defender services and drivers (including WinDefend, WdFilter, etc.).
  • Reset some security‑related registry values and policies back to defaults.
  • Re‑enable or change things like Tamper Protection.

That can undo any method of disabling Defender:

  • Manual registry edits (the Start=4 changes you posted).
  • Group Policy settings.
  • Changes done by utilities such as DefenderControl.

2. DefenderControl specifically

DefenderControl essentially automates what you’ve been discussing:

  • It changes Defender‑related registry values, services, and/or policies.
  • It doesn’t patch system binaries or permanently remove Defender from Windows.

Because of that:

  • A feature upgrade can restore those services and settings, making Defender active again.
  • After an upgrade, DefenderControl may:
    • Show Defender as enabled again, requiring you to re‑apply the “disable” button.
    • Need an update itself to stay compatible (but it’s discontinued, so that’s a risk).

3. Practical takeaway

  • Whether you use DefenderControl or manual Start=4 edits, you should assume a major upgrade can re‑enable Defender.
  • After each feature upgrade or big build change:
    • Open Windows Security and check Defender status.
    • If needed, re‑run DefenderControl or re‑apply your registry method.
  • Because DefenderControl is discontinued, there’s a higher chance that at some point a future build may break or block it.

So yes: DefenderControl is affected by the same “Windows might reset Defender during upgrades” issue as any other non‑official way of disabling it.
 
  • Like
Reactions: rashmi
@Bot I like this idea:
If you tell me whether you’ll be running a third‑party AV full‑time, I can suggest a more tailored combination (policy + UI + minimal registry) that reduces Defender’s footprint without relying only on service‑level “kills.”
Click to expand...

@rashmi just curious, why are you trying to totally disable defender? Will a major Windows update try to revert the settings and cause issues? What if you wanted to re-enable defender, will it be a nightmare in doing so, and having to resort to a Windows reset?
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: piquiteco, Zero Knowledge, Sorrento and 4 others
Jonny Quest said:
@Bot I like this idea:


@rashmi just curious, why are you trying to totally disable defender? Will a major Windows update try to revert the settings and cause issues? What if you wanted to re-enable defender, will it be a nightmare in doing so, and having to resort to a Windows reset?
Click to expand...
You’re raising the right concerns, because the “how hard do I kill Defender?” question is mostly about update‑resilience and ease of undo, not just “can it be turned off”.

I’ll split this into two parts:

  • Answers to the concerns you quoted (updates, issues, re‑enabling).
  • A safer, layered way to keep Defender out of the way if you use a third‑party AV.

1. Will major Windows updates revert the settings and cause issues?

Yes, major updates can and often do revert Defender‑related changes, but usually in a “mildly annoying” way, not a “system is broken” way.

What typically happens on a feature upgrade:

  • Group Policies – are usually respected, but Microsoft has occasionally changed how some Defender policies behave between versions (for example, “Turn off Microsoft Defender Antivirus” may not fully disable it unless a third‑party AV is present).
  • Registry hacks to services (Start=4) – can be:
    • Overwritten (Defender services put back to their defaults).
    • Recreated (new or renamed services).
  • Tools like DefenderControl – their changes can be neutralized. After a big update, Defender may be fully active again until you re‑apply your tweaks.

But:

  • It’s very rare for this to cause boot failures or anything that forces a reset just because Defender got re‑enabled.
  • The most common “issue” is simply:
    • Defender comes back on.
    • Windows Security stops complaining about being “disabled”.
    • Your third‑party AV coexists or Defender goes passive.

If you do only policy/UI changes (and not low‑level service edits), feature updates almost never cause serious problems. They may just ignore some old settings and re‑enable Defender.

2. If you wanted to re‑enable Defender, is it a nightmare?

It depends on how you disabled it:

a) If you use only:

  • Windows Security UI (turn things off),
  • Group Policy,
  • and you let a third‑party AV take over as primary,

…then re‑enabling Defender is straightforward:

  • Uninstall / disable the third‑party AV (if you want Defender primary again).
  • Undo Group Policy:
    • gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus.
    • Set Turn off Microsoft Defender Antivirus = Not Configured.
  • Turn ON the toggles in Windows Security (Real‑time protection etc.).

No reset needed; Windows is designed for this scenario.

b) If you used hard service kills (Start=4 on WinDefend, WdFilter, etc.)

Then you usually need to:

  • Boot to Safe Mode.
  • Restore the original Start values for:
    • Sense
    • WdBoot
    • WdFilter
    • WdNisDrv
    • WdNisSvc
    • WinDefend
  • Reboot to normal mode.

If you exported those keys or wrote down the defaults (like in your quoted post), this is not a nightmare – just annoying. A reset is normally only needed if:

  • The registry was badly damaged / mis‑edited (wrong services, wrong values).
  • Or there’s some other unrelated corruption.

So: disabling Defender doesn’t inherently create a “must reset later” situation. It just means you need to remember how you disabled it, so you can undo the same method.

3. A safer “minimal Defender” setup if you run a third‑party AV

This is the part you liked: reducing Defender’s footprint without going full Start=4 on everything. The idea is:

  • Let Windows know a third‑party AV is your primary.
  • Keep Defender from doing background scanning or ASR, etc.
  • Avoid brutal service modifications so feature upgrades and re‑enabling are simple.

For a more tailored setup, I’d still like to know:

  • Which third‑party AV you plan to run full‑time (e.g. ESET/Kaspersky/Bitdefender/etc.).
  • Whether you care more about:
    • Performance,
    • Telemetry/privacy,
    • or avoiding overlaps/conflicts.

But here’s a solid general blueprint for Windows 11 Pro:

Step 1 – Install and use a full third‑party AV

  • Install your chosen AV.
  • Confirm in Windows Security → Virus & threat protection that it shows as the active provider.
  • In this state, Defender usually goes into passive or disabled real‑time mode automatically.

Step 2 – Turn off extra Defender activity via UI

In Windows Security → Virus & threat protectionMicrosoft Defender Antivirus options:

  • Disable Periodic scanning (so Defender doesn’t wake up to scan on a schedule while your main AV is already scanning).

This alone already stops most redundant background work.

Step 3 – Use Group Policy (gentler than service hacking)

Open gpedit.msc:

  • Go to:
    • Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus
  • Set:
    • Turn off Microsoft Defender Antivirus = Enabled.

Notes:

  • On newer Windows 11 builds, this policy by itself may not fully kill Defender if no third‑party AV is present. But with a registered third‑party AV, it usually keeps Defender from interfering or re‑enabling.
  • You can later re‑enable Defender by setting this back to Not Configured.

If you want to go a bit further (optional):

  • Still under Microsoft Defender Antivirus, you can set policies like:
    • Cloud-delivered protection = Disabled.
    • Join Microsoft MAPS = Disabled.

This reduces telemetry and cloud lookups if you’re privacy‑sensitive.

Step 4 – Leave core OS mitigations alone

Don’t touch:

  • Exploit protection settings (unless you’re explicitly tuning them).
  • Core SmartScreen for web/mail, unless you have a very good reason and a replacement.

These are OS‑level mitigations and work with your third‑party AV; they don’t require the Defender AV engine itself.

Step 5 – Avoid (or minimize) driver/service “kills”

In this “safer” profile:

  • Avoid changing Start to 4 on WinDefend, WdFilter, etc., unless you have a very specific conflict and know exactly why you’re doing it.
  • If you do eventually decide to hard‑disable some components, keep a clear note or .reg backup so you can cleanly revert.

This means:

  • Feature upgrades will be less confused.
  • You can re‑enable Defender later without offline registry surgery or a reset.

4. Direct answers to the concerns you quoted

  • “Why are you trying to totally disable Defender?”
    • Common reasons (from many users): resource usage, false positives, conflicts with another AV, or privacy/telemetry concerns.
    • If your third‑party AV is solid, there’s no strict requirement to keep Defender active in parallel.
  • “Will a major Windows update try to revert the settings and cause issues?”
    • Yes, it may revert Defender‑related changes or re‑enable Defender, but usually doesn’t “break” Windows.
    • It’s more about having to re‑apply your preference after an upgrade.
  • “If you wanted to re-enable defender, will it be a nightmare?”
    • If you stick to UI + Group Policy = no, it’s simple.
    • If you’ve done heavy service/driver registry hacks, you must undo them (usually via Safe Mode), but that still normally doesn’t require a full reset.

If you tell me which third‑party AV you’re running full‑time, I can adjust the above to that product (for example: what to disable in Defender to avoid scan overlap, whether to leave SmartScreen on, etc.).
 
  • Like
Reactions: rashmi and Jonny Quest
Jonny Quest said:
@rashmi just curious, why are you trying to totally disable defender? Will a major Windows update try to revert the settings and cause issues? What if you wanted to re-enable defender, will it be a nightmare in doing so, and having to resort to a Windows reset?
Click to expand...
I prefer not to use an antivirus with Comodo Firewall. Sordum's DefenderControl has been disabling/reenabling Microsoft Defender successfully for me. DefenderControl is a discontinued tool now, and though it works absolutely well, I'm looking for a stable or Windows built-in solution.
 
  • Like
Reactions: EASTER, piquiteco, Sorrento and 3 others
rashmi said:
I prefer not to use an antivirus with Comodo Firewall. Sordum's DefenderControl has been disabling/reenabling Microsoft Defender successfully for me. DefenderControl is a discontinued tool now, and though it works absolutely well, I'm looking for a stable or Windows built-in solution.
Click to expand...
You’re basically in the “Comodo Firewall + hard‑off Defender, no AV” camp, and DefenderControl has just been a convenient front‑end for that. With that in mind:

  • There is no fully supported, built‑in Microsoft switch for “no AV at all” on Windows 11 when no third‑party AV is present.
  • What DefenderControl does is essentially exactly what you’ve already been discussing: change Defender service/driver start values and a few related settings.
  • Major updates can revert those changes, but that usually just means “Defender is back”, not “Windows is broken”.

So the realistic goal is a method that:

  • Uses only Windows’ own tools (regedit/PowerShell/Group Policy).
  • Is easy to re‑apply after a big update.
  • Is easy to undo if you ever want Defender back.

1. No AV + Comodo: what Windows officially supports

By design, Windows 10/11 wants:

  • At least one registered AV provider (Defender or third‑party).
  • If a third‑party AV is installed, Defender can go passive / limited.
  • If no AV is installed, Microsoft really doesn’t provide an “official” way for home users to have no AV at all.

That’s why:

  • Group Policy “Turn off Microsoft Defender Antivirus” alone is not reliable on newer Windows 11 when there’s no other AV.
  • Old tricks like DisableAntiSpyware are now ignored.

For a hard off with no AV, Microsoft doesn’t give you a clean GUI button. You’re down to exactly what you’re already using: service/driver tweaks (what DefenderControl does), or similar done manually.

2. A “built‑in” replacement for DefenderControl

Given your goal, the closest to a “stable, built‑in” solution is:

  • Use .reg files + Safe Mode to do the same Start‑value changes DefenderControl does.
  • Keep clean “disable” and “enable” reg files so you can toggle without guesswork.

For example (conceptually):

a) Hard‑disable file (run in Safe Mode)

Create a DisableDefenderHard.reg with content like (adjust to exactly match what you already tested):

Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004

Apply in Safe Mode, reboot → Defender AV and related drivers don’t start.

b) Re‑enable file (run in Safe Mode)

Create an EnableDefenderHard.reg with the default values (these are the ones you already quoted):

Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot]
"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000002

Apply in Safe Mode, reboot → Defender is back in its normal state.

That’s essentially DefenderControl, but:

  • Fully transparent (you see exactly what’s being changed).
  • Not dependent on a third‑party EXE that may break on a future build.
  • Easy to re‑run after a big Windows upgrade.

3. What feature updates will do to this

On a feature upgrade (or a big build jump):

  • Windows may overwrite or recreate those service keys with default Start values.
  • Result: Defender is active again, sometimes with Tamper Protection ON.
  • Your system doesn’t usually “break”; you just lose your “hard off” until you re‑apply it.

So the routine becomes:

  • After each big Windows upgrade:
    • Check Windows Security → if Defender is on again (and you still don’t want it), reboot to Safe Mode, run your DisableDefenderHard.reg, reboot.

4. Re‑enabling Defender later: will it be a nightmare?

Not if you keep things disciplined:

  • Always export the original keys (Sense, WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend) once, before you start.
  • Keep your EnableDefenderHard.reg safe.
  • Keep System Restore turned on and a Windows install USB handy (as general safety nets).

Then, to re‑enable:

  • Boot to Safe Mode.
  • Import EnableDefenderHard.reg (or your original exported .reg).
  • Reboot.
  • Open Windows Security to verify everything is back.

You should not need a reset for this, unless some unrelated system corruption happens or the registry keys are heavily damaged.

5. What about “softer” methods (UI, Group Policy, PowerShell)?

Because you don’t want any AV at all:

  • UI toggles (real‑time protection off, etc.) tend to be temporary and can be overridden by Windows or Tamper Protection.
  • Group Policy “Turn off Microsoft Defender Antivirus” is no longer a reliable way to keep Defender off on modern Win 11 when no other AV is present.
  • PowerShell (Set-MpPreference -DisableRealtimeMonitoring $true) is also subject to being reverted, and Tamper Protection will fight it.

Those methods are great if you just want to minimize Defender while using another AV; they’re not strong enough for a true “no AV” setup.

6. Security angle (just so it’s explicit)

Running only Comodo Firewall (HIPS/containment) with no AV is a niche, advanced setup:

  • It can work if:
    • You’re very careful with what you run.
    • You keep Comodo well‑configured and up to date.
    • You accept that there’s no signature‑based safety net.
  • It gives you:
    • Less bloat and scanning.
    • More reliance on HIPS/sandbox behavior and your own decisions.

From a Windows/Microsoft point of view, this configuration is “unsupported” in the sense that they expect some AV; hence the lack of an official off‑switch.

Summary

  • There’s no official, built‑in, one‑click way to permanently disable Defender on Windows 11 when no other AV is installed.
  • DefenderControl was just automating what you can safely do yourself:
    • Make two .reg files (disable/enable) for the key Defender services.
    • Apply them in Safe Mode when you want to toggle Defender.
  • Feature updates will likely re‑enable Defender, but that normally doesn’t “break” anything; you simply re‑apply your disable .reg afterwards.
  • Re‑enabling should not require a reset if you keep proper backups of the original registry values.

If you’d like, you can post the exact reg values you’re currently using (anonymized, just the service keys), and I can double‑check them for consistency so that your “enable” file really matches a stock configuration.
 
  • Like
Reactions: rashmi
rashmi said:
I prefer not to use an antivirus with Comodo Firewall. Sordum's DefenderControl has been disabling/reenabling Microsoft Defender successfully for me. DefenderControl is a discontinued tool now, and though it works absolutely well, I'm looking for a stable or Windows built-in solution.
Click to expand...
Got it, it makes sense. Thank you for the reply :)
 
  • Like
Reactions: Zero Knowledge, Sorrento, simmerskool and 2 others
rashmi said:
I disable Microsoft Defender on Windows 11 Pro with Sordum's DefenderControl, which works well for me, though the developer discontinued it. I found the following solution on a blog, which, according to some, works.

@Andy Ful, Do you know this solution, and do these registry tweaks work? I thought to confirm with you or get your insight before performing these tweaks.
Click to expand...

I agree with @Bot. For the same reasons, DefenderControl is discontinued.
 
  • Like
  • +Reputation
Reactions: EASTER, simmerskool and rashmi
Andy Ful said:
I agree with @Bot. For the same reasons, DefenderControl is discontinued.
Click to expand...
That’s a very reasonable conclusion.

A few concise points to keep in mind about DefenderControl being discontinued:

  • Because it’s no longer maintained, future Windows builds may break it or make its changes unreliable (partially applied, silently reverted, etc.).
  • You also won’t get fixes if Microsoft:
    • Renames services,
    • Moves functionality,
    • Or hardens Defender against external manipulation.
  • For something as core as AV/driver services, it’s safer to rely on:
    • Documented tools (Group Policy, PowerShell, UI) where possible, and
    • If you want a hard‑off: transparent reg files that you fully understand, applied in Safe Mode.

So using the manual registry approach you and I discussed (with clear Disable/Enable .reg files and backups) is basically the “DefenderControl logic,” but in a way that’s:

  • Easier to audit,
  • Not tied to an abandoned EXE,
  • And easier to fix yourself if Microsoft changes something in a future update.

If you ever want, you can post your final .reg pair (anonymized, just the Defender service entries), and I can sanity‑check them so you’re confident both disabling and re‑enabling are clean.
 
  • Like
Reactions: rashmi
Bot said:
DefenderControl was just automating what you can safely do yourself:
  • Make two .reg files (disable/enable) for the key Defender services.
  • Apply them in Safe Mode when you want to toggle Defender.
Click to expand...
Do the reg tweaks work similarly to DefenderControl? With DefenderControl, Windows Security displays "managed by organization," there are no Defender processes running, there is no Defender task tray icon, and there are no Defender updates.
 
  • Like
Reactions: Sorrento and simmerskool
rashmi said:
Do the reg tweaks work similarly to DefenderControl? With DefenderControl, Windows Security displays "managed by organization," there are no Defender processes running, there is no Defender task tray icon, and there are no Defender updates.
Click to expand...
Yes and no – the raw service Start=4 tweaks can reproduce most of the technical effect of DefenderControl (no engine running, no real protection), but not automatically all the cosmetic parts like “managed by your organization” and update behaviour.

I’ll break it down by what you see now with DefenderControl:

  • “Managed by your organization” in Windows Security
    This message is triggered by policy (GPO / HKLM\SOFTWARE\Policies\Microsoft\Windows Defender etc.), not by the service Start values themselves.
    • If you only do the Start=4 edits on WinDefend, WdFilter, etc., Windows Security will typically just show that Defender is off/failed rather than “managed by your organization”.
    • If you also set the relevant Group Policy (for example, Turn off Microsoft Defender Antivirus) or equivalent policy keys, you can usually bring back the “managed by organization” wording – but note that on newer Win11 builds, the policy alone does not reliably hard‑disable Defender unless another AV is present.

    So:
    • Service tweaks alone → no Defender engine, but UI looks “broken/off”, not “managed by org”.
    • Service tweaks + policy → closer to DefenderControl behaviour (no engine + “managed by org”).
  • No Defender processes running
    This is where the reg tweaks and DefenderControl are very similar:
    • Setting Start=4 on:
      • WinDefend
      • WdFilter
      • WdBoot
      • WdNisDrv
      • WdNisSvc
      • Sense
    • …and rebooting means those services/drivers simply don’t load.
    • As a result, MsMpEng.exe and the related Defender drivers won’t be running – functionally equivalent to what DefenderControl gives you from a “no engine in memory” standpoint.

    So for “no Defender processes”: yes, the reg tweaks can achieve the same outcome, as long as you edit the right services and reboot.
  • No Defender task tray icon
    This part is a bit different:
    • The Windows Security tray icon is tied to SecurityHealthService (Windows Security Center), not directly to WinDefend/WdFilter.
    • Your current tweaks (only Defender services) won’t necessarily remove the shield icon – it may still show an alert, even though Defender itself is dead.
    • DefenderControl may also be adjusting related components (or the icon may just not show because Defender is in a “disabled by policy” state).

    If the tray icon bothers you, the simpler and safer approach is:
    • Hide the Windows Security icon via:
      • Settings → Personalization → Taskbar → Other system tray icons (or equivalent, depending on build)
    • Or disable SecurityHealthService only if you really know what you’re doing – otherwise you lose centralized notifications for other security features too.

    So: reg tweaks for Defender services ≠ guaranteed removal of the Windows Security tray icon, but you can hide that separately.
  • No Defender updates
    This is the trickiest part to guarantee:
    • Defender definitions/platform updates are delivered via Windows Update as a product, independent of whether the services are actually running.
    • With the Defender services disabled:
      • They won’t be used to scan or protect you.
      • But Windows Update may still offer and download them in the background, depending on your WU configuration.
    • Completely blocking Defender definition updates at the Windows Update level isn’t as simple as a single reg value; it usually involves:
      • WU policies,
      • Tools like WUMT/WU manager,
      • Or selectively hiding Defender updates – and that’s more fragile than just accepting that they can exist but won’t be executed.

    So: the reg tweaks will stop Defender from actually updating/using the engine at runtime, but I cannot honestly promise they will stop Windows Update from ever trying to download definition packages. From a practical standpoint, though, you’d still have “no AV activity”.

Bottom line

  • Hard service tweaks (Start=4) can match DefenderControl on the important part: no Defender engine, no drivers, no real‑time scanning.
  • To mimic the look (“managed by your organization”) you’d also use the appropriate Defender GPO/policy keys.
  • Tray icon and Windows Update behaviour are separate layers:
    • Hide the icon via taskbar settings if it annoys you.
    • Accept that WU might still download Defender updates, but they won’t do anything if the engine is disabled.

If you’d like, you can say exactly which reg edits you plan to use (just the keys/values, nothing personal), and I can point out what they will and won’t replicate compared to what you currently see with DefenderControl.
 
  • Like
Reactions: rashmi

You may also like...