Remove Microsoft Defender from Windows Endpoints

What the Microsoft Defender remover does

This Automox Worklet™ removes Microsoft Defender from Windows endpoints by stepping through every Defender variant the OS ships with and uninstalling, disabling, or excluding each one. On Windows 10 and Windows 11, the script disables Microsoft Defender Antivirus through the Set-MpPreference cmdlet and the registry policy keys under HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender. On Windows Server, it uninstalls the Windows-Defender feature via Uninstall-WindowsFeature. On endpoints that still carry the legacy System Center Endpoint Protection client, it runs the documented msiexec uninstall string.

The Worklet does not try to delete the Defender platform files (which are tamper-protected by Windows itself); it disables the service surface so the replacement EPP can claim the AV registration without conflict. The Windows Security Center API recognizes the new EPP as the primary AV provider on its first heartbeat, which clears the Defender taskbar shield and silences the system tray prompts that would otherwise nag the user that no protection is installed.

Evaluation calls Get-MpPreference and reads HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender without invoking any Set or Uninstall command, so endpoints already in the desired state (Defender disabled, third-party EPP installed and registered) pass at exit code 0 and the activity log stays quiet. Endpoints where a Windows servicing stack update or a feature update has silently re-enabled Defender are flagged and remediated again on the next policy run, which keeps the EPP migration outcome durable through Microsoft's update cadence.

Why remove Defender during an EPP transition

Running two on-access scanners on the same Windows endpoint is a documented source of stability and performance problems. The two scanners fight over the same file-system filter driver chain, double-scan the same file paths, and produce double the kernel-mode CPU on every read and write. Microsoft Defender is supposed to step aside when another AV is registered with Windows Security Center, but in practice it remains active on consumer Windows builds and on endpoints where Group Policy has overridden the default behavior.

During an EPP migration, the gap between "the new AV is rolled out" and "Defender has actually stepped aside on every endpoint" is where the helpdesk gets the "my laptop is slow" tickets. Targeting this Worklet at the migration cohort enforces the Set-MpPreference and Uninstall-WindowsFeature actions on every Windows endpoint at evaluation time, and the recurring policy backstops feature updates that silently re-enable Defender after the rollout. Pair it with a Worklet that installs and registers the new EPP so the migration completes as a single policy chain rather than a series of follow-up tickets stretching across the next quarter.

How Microsoft Defender removal works

1. Evaluation phase: The Worklet runs Get-MpComputerStatus to read AMServiceEnabled, RealTimeProtectionEnabled, and AntivirusEnabled, queries Get-WindowsFeature Windows-Defender on Server SKUs, and reads HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender for the DisableAntiSpyware policy value. If any signal shows Defender is still active or installed as a feature, the endpoint is flagged for remediation. Endpoints already in the desired state are reported compliant and skipped.

2. Remediation phase: The remediation script disables Defender real-time protection via Set-MpPreference -DisableRealtimeMonitoring $true, writes DisableAntiSpyware=1 to HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender, and on Windows Server runs Uninstall-WindowsFeature -Name Windows-Defender -NoRestart. For endpoints with the legacy SCEP client, it runs the msiexec /x with the SCEP product code from the Uninstall registry key. Exit 0 on success or non-zero with the failing component name in stderr if a step was blocked by Tamper Protection or Group Policy.

Defender removal requirements

• Windows 10, Windows 11, Windows Server 2016, 2019, 2022, or 2025 with PowerShell 5.1 or PowerShell 7 available

• Local administrator or SYSTEM privileges for the Automox agent (the default agent context satisfies this) to modify Defender policy keys and run Set-MpPreference

• Tamper Protection disabled on the endpoint (configurable via Intune, Group Policy, or the Defender portal); leaving Tamper Protection on will block Set-MpPreference calls

• A replacement EPP installed and registered with Windows Security Center either before or alongside this Worklet so the endpoint is not left without an AV provider

• A change-management ticket or migration plan tying the Defender removal to the new EPP rollout so the security team can audit the transition window

Expected Defender state after removal

After successful remediation, Get-MpComputerStatus reports AMServiceEnabled and RealTimeProtectionEnabled as false on Windows 10 and 11 endpoints. Windows Server endpoints no longer have the Windows-Defender feature installed. The Windows Security Center heartbeat registers the replacement EPP as the primary antivirus provider, the Defender system tray prompts go quiet, and the file-system filter chain holds only one on-access scanner.

Validate on a single endpoint by running Get-MpComputerStatus before and after the policy and confirming the toggles flip to false. For audit evidence, capture the output of both runs along with the Get-Service WinDefend status and store them with the policy run identifier. If Defender re-enables itself after a Windows feature update, the most common cause is that Tamper Protection re-engaged or a Group Policy refresh re-applied the default settings; investigate those before rerunning the Worklet to avoid a remediation loop.