ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Disable Windows Defender on Windows Server 2019 and 2022

How to Disable Windows Defender on Windows Server 2019 and 2022

Learn to completely disable Microsoft Defender Antivirus on Windows Server 2019/2022 using PowerShell uninstall, Group Policy, or registry methods with proper verification steps.

Evan MaelEvan Mael
March 27, 2026 15 min
mediumwindows-server 8 steps 15 min

Why Disable Microsoft Defender on Windows Server?

Microsoft Defender Antivirus comes pre-installed on Windows Server 2019 and 2022, providing basic malware protection out of the box. However, enterprise environments often require disabling Defender for several legitimate reasons: deploying enterprise-grade antivirus solutions that conflict with Defender, optimizing server performance for resource-intensive applications, or meeting specific compliance requirements that mandate particular security software.

What Are the Risks of Disabling Built-in Security?

Disabling Defender creates a temporary security vulnerability window. Without proper planning, your server becomes exposed to malware, ransomware, and other threats. This tutorial addresses this risk by emphasizing immediate replacement with enterprise antivirus solutions and providing verification steps to ensure continuous protection.

Which Disable Method Should You Choose?

Microsoft recommends complete uninstallation via PowerShell for servers without third-party antivirus integration needs. This method removes all Defender components, preventing resource conflicts and ensuring clean operation. Group Policy methods work better for domain environments where you need centralized control. Registry modifications offer the most granular control but require careful execution to avoid system instability.

This tutorial covers all four primary methods: PowerShell uninstallation, Group Policy configuration, registry modification, and Server Manager GUI removal. Each method includes verification steps and addresses common pitfalls that can leave Defender partially active or cause system issues.

Implementation Guide

Full Procedure

01

Create System Backup and Prepare Alternative Security

Before disabling Microsoft Defender Antivirus, create a system restore point and prepare your alternative security solution. This prevents leaving your server unprotected.

Enable-ComputerRestore -Drive "C:"
Checkpoint-Computer -Description "Before Defender Disable" -RestorePointType "MODIFY_SETTINGS"

Verify the restore point was created:

Get-ComputerRestorePoint | Select-Object -Last 1
Warning: Never disable Defender without having an alternative antivirus ready. This creates a critical security gap that attackers can exploit within minutes.

Download and prepare your third-party antivirus installer but don't install it yet. Popular enterprise options include Symantec Endpoint Protection, CrowdStrike Falcon, or SentinelOne.

02

Check Current Defender Status and Features

First, verify which Defender components are currently installed and active on your server. This helps you understand what needs to be disabled.

Get-WindowsFeature -Name *Defender*

Check the current status of Defender services:

Get-Service -Name *Defender* | Select-Object Name, Status, StartType

View real-time protection status:

Get-MpPreference | Select-Object DisableRealtimeMonitoring, DisableBehaviorMonitoring, DisableIOAVProtection

The output shows you exactly which features are enabled. Look for InstallState : Installed for Windows-Defender-Features and running services like WinDefend.

Pro tip: Screenshot or save this output to compare after disabling Defender. This helps verify the disable process worked completely.
03

Method 1 - Uninstall Defender via PowerShell (Recommended)

Microsoft recommends completely uninstalling Defender on servers without third-party AV. This is the most thorough method and prevents conflicts.

Open PowerShell as Administrator and run the uninstall command:

Uninstall-WindowsFeature -Name Windows-Defender-Features -Restart

If you prefer to restart manually later, use:

Uninstall-WindowsFeature -Name Windows-Defender-Features -Remove

The process removes all Defender components including:

  • Windows Defender Antivirus Engine
  • Windows Defender GUI
  • PowerShell cmdlets for Defender
  • All related services and drivers

After restart, verify complete removal:

Get-WindowsFeature -Name Windows-Defender-Features

You should see InstallState : Removed. Also check that Defender services no longer exist:

Get-Service -Name WinDefend -ErrorAction SilentlyContinue

This should return no results or an error indicating the service doesn't exist.

04

Method 2 - Disable via Group Policy (For Domain Environments)

If you can't uninstall Defender or need to disable it across multiple servers via Group Policy, use this method. It disables real-time protection but keeps the service installed.

For local Group Policy, open the editor:

gpedit.msc

Navigate to: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus

Double-click Turn off Microsoft Defender Antivirus and set it to Enabled. Click OK.

For additional protection disabling, navigate to Real-time Protection subfolder and enable these policies:

  • Turn off real-time protection
  • Turn off behavior monitoring
  • Turn off process scanning

Apply the changes immediately:

gpupdate /force

Verify the policy applied correctly:

Get-MpPreference | Select-Object DisableRealtimeMonitoring, DisableBehaviorMonitoring

Both values should show True. Also check Windows Security Center shows Defender as disabled.

Pro tip: In domain environments, configure this policy at the OU level for all servers that need Defender disabled. This ensures consistent configuration across your server fleet.
05

Method 3 - Registry Modification for Advanced Control

Registry editing provides the most granular control over Defender settings. Use this method when you need specific configurations or when other methods don't work.

Open Registry Editor as Administrator:

regedit

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

If the Windows Defender key doesn't exist, create it. Right-click and create these DWORD (32-bit) values:

DisableAntiSpyware = 1
DisableAntiVirus = 1
DisableRealtimeMonitoring = 1

For servers using Microsoft Defender for Endpoint, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Create DWORD value:

ForceDefenderPassiveMode = 1

This puts Defender in passive mode, allowing Defender for Endpoint to function while disabling local scanning.

Restart the server to apply registry changes:

Restart-Computer -Force

After restart, verify the changes:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware
Warning: Always backup the registry before making changes. Incorrect registry modifications can make your server unbootable. Use regedit > File > Export to backup the entire registry first.
06

Alternative Method - Server Manager GUI Removal

For administrators who prefer GUI methods, you can remove Defender through Server Manager. This method works identically to the PowerShell uninstall but uses the graphical interface.

Open Server Manager and click Manage > Remove Roles and Features.

Click Next through the wizard until you reach the Features page. Uncheck Windows Defender Features and all sub-components:

  • GUI for Windows Defender
  • Windows Defender
  • Windows Defender PowerShell Module

Click Next and then Remove. The wizard will prompt for a restart.

After restart, verify removal through PowerShell:

Get-WindowsFeature -Name Windows-Defender-Features

The feature should show InstallState : Removed.

Pro tip: This GUI method is identical to the PowerShell uninstall command but may be easier for administrators less comfortable with command-line tools. The end result is exactly the same.
07

Install and Configure Alternative Antivirus

Immediately after disabling Defender, install your alternative antivirus solution. The security gap between disabling Defender and installing replacement protection should be minimized.

Install your chosen enterprise antivirus following the vendor's documentation. Common enterprise solutions include:

  • Symantec Endpoint Protection
  • CrowdStrike Falcon
  • SentinelOne
  • Trend Micro Deep Security

After installation, verify the new antivirus is active:

Get-Service | Where-Object {$_.DisplayName -like "*antivirus*" -or $_.DisplayName -like "*endpoint*"}

Test the antivirus functionality by downloading the EICAR test file (safe test virus):

Invoke-WebRequest -Uri "https://www.eicar.org/download/eicar.com.txt" -OutFile "C:\temp\eicar.txt"

Your new antivirus should immediately detect and quarantine this test file. If it doesn't, check the antivirus configuration and ensure real-time protection is enabled.

Configure the antivirus policies according to your organization's security requirements, including:

  • Real-time scanning settings
  • Scheduled scan times
  • Exclusions for server applications
  • Reporting and alerting configuration
08

Verify Complete Defender Removal and System Security

Perform comprehensive verification to ensure Defender is completely disabled and your server remains secure with the new antivirus solution.

Check that no Defender services are running:

Get-Service | Where-Object {$_.Name -like "*Defender*" -or $_.Name -like "*WinDefend*"}

Verify Defender features are removed:

Get-WindowsFeature | Where-Object {$_.Name -like "*Defender*"}

Check Windows Security Center status:

Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct | Select-Object displayName, productState

The output should show your new antivirus as the active protection, not Windows Defender.

Test system performance to ensure the new antivirus isn't causing conflicts:

Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 ProcessName, CPU, WorkingSet

Monitor for any unusual CPU or memory usage from antivirus processes.

Finally, check Windows Event Logs for any Defender-related errors:

Get-EventLog -LogName System -Source "*Defender*" -Newest 10 -ErrorAction SilentlyContinue

If this returns no results or only informational events about Defender being disabled, the removal was successful.

Pro tip: Document this configuration change in your server documentation and include the verification commands in your server maintenance checklist. This helps other administrators understand the security configuration.

Frequently Asked Questions

Does disabling Windows Defender improve Windows Server performance?+
Yes, disabling Defender can improve server performance, especially on resource-intensive applications like databases or virtualization hosts. Defender's real-time scanning consumes CPU and memory resources. However, the performance gain is typically modest (5-15% in CPU-intensive scenarios) and must be weighed against security risks. Enterprise antivirus solutions may have similar resource requirements, so the net performance benefit depends on your replacement security software.
Can I re-enable Windows Defender after uninstalling it on Windows Server?+
Yes, but you must reinstall the Windows Defender Features through Server Manager or PowerShell using Install-WindowsFeature -Name Windows-Defender-Features. Simply enabling it through Group Policy or registry won't work if you've uninstalled the feature completely. The reinstallation requires a server restart and will restore all Defender components to their default configuration. This process can take 10-15 minutes depending on your server's performance.
What happens if I disable Defender without installing alternative antivirus?+
Your server becomes highly vulnerable to malware attacks within minutes. Modern malware can spread through network shares, email attachments, web downloads, and USB devices. Without real-time protection, threats can establish persistence, steal data, or deploy ransomware before you notice. Microsoft strongly advises against running servers without antivirus protection. If you must temporarily disable Defender, disconnect the server from networks and internet until replacement protection is installed.
Will disabling Windows Defender affect Windows Updates or system stability?+
Disabling Defender doesn't affect Windows Updates or core system stability. Windows Update will continue downloading and installing security patches normally. However, you'll lose Defender's integration with Windows Security Center, and some security-related updates specific to Defender won't apply. System stability remains unchanged as long as you follow proper disable procedures. Improper registry modifications can cause issues, but PowerShell uninstallation or Group Policy methods are completely safe.
How do I disable Defender on Windows Server Core without GUI?+
Use PowerShell exclusively since Server Core lacks the GUI. Connect via PowerShell remoting or directly at the console. Run Uninstall-WindowsFeature -Name Windows-Defender-Features -Restart for complete removal, or use registry modifications with reg add commands. For example: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f. Group Policy editing requires the RSAT tools on a management workstation since gpedit.msc isn't available on Server Core.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#windows-server#defender#antivirus

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Set PowerShell Execution Policy Using Intune and Group Policy
tutorial
DevOps

How to Set PowerShell Execution Policy Using Intune and Group Policy

Deep Dive
How to Deploy Bitwarden Password Manager Using Microsoft Intune
tutorial
Cybersecurity

How to Deploy Bitwarden Password Manager Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account