- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
Why admins disable Microsoft Defender Antivirus via a GPO
Microsoft Defender Antivirus, commonly referred to as Windows Defender, is the built-in antivirus solution in Windows 10, Windows 11, and Windows Server. Most of the time it stays out of the way. When it does not because you are deploying a third-party endpoint security solution, building an isolated test environment, or chasing a false positive that keeps blocking a business application, you need a way to turn it off across multiple machines without touching each one individually.
A Group Policy Object (GPO) applied to an OU handles that. You configure the setting once, link the GPO to the right containers, and it applies at the next Group Policy refresh interval to every domain-joined machine in the scope.
This guide covers the domain method using the Group Policy Management Console (GPMC). If you are working on a stand-alone non-domain machine, the Local Group Policy Editor (gpedit.msc) follows the same navigation path, but that approach is only available in the Windows Pro, Enterprise, and Education editions.
Note: Disabling Microsoft Defender removes a layer of protection from the machines in the scope. Only do this when a tested replacement security solution is already deployed or when in genuinely isolated environments with no internet exposure.
Microsoft Defender Antivirus vs. Windows Defender Firewall
These are two separate components. This guide covers Microsoft Defender Antivirus, the malware scanning and real-time protection engine. Windows Defender Firewall is a different service with its own GPO path under Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall. Disabling one has no effect on the other.
Prerequisites
Before you start, confirm the following:
- You have Domain Admin privileges or delegated rights to create and link GPOs in the target OU.
- The GPMC is installed (available via Remote Server Administration Tools (RSAT) or on any domain controller).
- Tamper Protection is disabled on the target machines. This being enabled is the most common reason GPO-based Microsoft Defender policies fail silently. See the section below.
Disable Tamper Protection first
Tamper Protection is a Windows Security feature that blocks changes to Microsoft Defender settings, including GPO-applied changes, from taking effect. If it is enabled, Group Policy can appear to be applied correctly (via gpresult /r), but Microsoft Defender will keep running regardless.
Tamper Protection cannot be disabled by the Microsoft Defender GPO itself. It must be disabled locally or centrally on each machine before the policy takes effect:
- Open Windows Security on the target machine.
- Go to Virus & threat protection.
- Under Virus & threat protection settings, click Manage settings.
- Toggle Tamper Protection to Off.
In larger environments, you can disable Tamper Protection centrally through Microsoft Intune or Microsoft Defender for Endpoint if those are deployed. If neither is available, a PowerShell startup script can automate the local toggle at login before GPO processes.
How to disable Microsoft Defender Antivirus using the GPMC
Step 1: Create and link a GPO
- Open the GPMC (gpmc.msc).
- On the left pane, expand your domain and go to the OU containing the target computers.
- Right-click the OU and select Create a GPO in this domain, and Link it here.
- Give the GPO a descriptive name (e.g., Disable Microsoft Defender Antivirus).
- Click OK.
Step 2: Edit the GPO
- Right-click the new GPO and select Edit.
- In the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
Step 3: Disable the antivirus engine
- On the right pane, double-click Turn off Microsoft Defender Antivirus.
- Select Enabled.
- Click Apply > OK.
Note: Why does Enabled turn Microsoft Defender off? This is a common point of confusion. The policy setting is named Turn off Microsoft Defender Antivirus. Setting it to Enabled means you are enabling the turn off instruction, which disables Microsoft Defender. Setting it to Disabled means the policy is not active, so Microsoft Defender continues running normally.
Step 4: Disable real-time protection
Even when the main antivirus policy is applied, real-time protection can persist independently on some Windows builds. Disable it explicitly:
- In the same GPO editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection.
- Double-click Turn off real-time protection.
- Select Enabled.
- Click Apply > OK.
Step 5: Apply the GPO
- Close the Group Policy Management Editor.
- On a representative target machine, open Command Prompt as an administrator and run gpupdate /force.
- Restart the machine. Some Microsoft Defender policies only take full effect after a reboot; gpupdate /force alone is not always sufficient.
Step 6: Verify the result
- Run gpresult /r /scope computer on the target machine to confirm the GPO is applied.
- Your Disable Microsoft Defender Antivirus GPO should appear in the Applied Group Policy Objects section under COMPUTER SETTINGS. If it appears under The following GPOs were not applied because they were filtered out, check the GPO security filtering and WMI filters.
Registry enforcement: A secondary layer
In practice, Microsoft Defender has gotten harder to disable across newer Windows 10 and Windows 11 builds. Even when the Administrative Templates policies are applied correctly, some configurations cause Microsoft Defender to re-enable itself after updates or reboots. Adding explicit registry values in the same GPO gives you a second enforcement layer.
- In the GPO editor, go to Computer Configuration > Preferences > Windows Settings > Registry.
- Create the following DWORD registry items using the Replace Action:
| Registry path | Value name | Type | Data |
|---|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\Windows Defender | DisableAntiSpyware | DWORD | 1 |
| HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | DisableRealtimeMonitoring | DWORD | 1 |
These registry values mirror what the ADMX policy nodes write. Deploying them via GPO Preferences means they will stick even when the ADMX template nodes behave inconsistently across different Windows builds.
Troubleshooting common issues
The policy is applied, but Microsoft Defender keeps re-enabling itself
This is almost always due to Tamper Protection. Confirm that it is off on the affected machine before re-testing. In Windows 11, Tamper Protection is enabled by default and reinstated after Windows updates.
The Turn off Microsoft Defender Antivirus policy setting is missing from the editor
The ADMX template for Microsoft Defender Antivirus may not be present in your central store. Download the latest ADMX files from Microsoft (matching them to your highest Windows version in the environment) and copy them to \\SYSVOL\domain\Policies\PolicyDefinitions. The policy will then appear in the editor after the next refresh.
The GPO appears as applied via gpresult, but Microsoft Defender is still running
Check whether another security management platform (such as Intune, Defender for Endpoint, or a third-party MDM solution) is pushing a conflicting policy. For example, policies applied via Intune take precedence over on-premises GPOs for Tamper Protection settings. In that case, the disablement must be performed through the other management platform.
The toggle is grayed out in Windows Security
When the Microsoft Defender toggle appears grayed out, a GPO is already controlling the setting—either one you applied or one from another source. Run gpresult /r to identify which GPO is enforcing the setting.
Managing and disabling Microsoft Defender at scale with ADManager Plus
The steps above cover a single GPO applied to one or a few OUs. When you are rolling this out across a large domain, multiple OUs, multiple domains, or dozens of affected machines, the GPMC starts to slow you down. Each link is manual, there is no built-in view of where a policy has actually been applied, and anyone investigating a GPO issue needs Domain Admin rights or RSAT on their machine.
ADManager Plus addresses those gaps directly:
- Bulk GPO linking: Apply the Microsoft Defender policy to multiple OUs in a single action instead of linking it one container at a time in the GPMC. This is useful when the policy needs to cover several departments or sites simultaneously.
- Link order management: When another GPO is overriding your Microsoft Defender settings, adjust the link precedence directly from the web console without opening the Group Policy Management Editor on a domain controller.
- On-demand GPO refreshes: Push an immediate policy refresh to selected computers after linking or modifying the GPO, without remotely accessing each machine to run gpupdate /force manually.
- GPO copying across domains: In multi-domain environments, copy the configured Microsoft Defender policy GPO to another domain rather than rebuilding its settings from scratch, keeping configurations consistent.
- Policy visibility: Use the GPO Settings report to confirm that the Turn off Microsoft Defender Antivirus setting is configured correctly across all GPOs in one view. Use the Resultant set of policy report to verify that the policy actually reached a specific machine.
- Scoped delegation: Let help desk technicians trigger GPO refreshes and pull GPO reports within their assigned OUs without being granted Domain Admin rights or requiring RSAT on their workstations.
