A script that disables Windows security features: Defender, Firewall, UAC, SmartScreen, Windows Update, etc.

disable_windows_security.ps1

# This script will disable most of the Windows security-related features.
# It is mostly intended for use in disposable VMs, such as simulation and CI/CD runners.
# Read the source to see what exactly is done.
# Author: Pavel Kirienko <[email protected]>

# Relaunch elevated if needed
$IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()
           ).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if (-not $IsAdmin) {
    Write-Host 'Elevating privileges…'
    Start-Process powershell.exe "-ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs
    exit
}

function Disable-ServicePermanent {
    param([Parameter(Mandatory)][string]$Name)

    $svc = Get-Service -Name $Name -ErrorAction SilentlyContinue
    if ($svc) {
        if ($svc.Status -ne 'Stopped') {
            Stop-Service $Name -Force -ErrorAction SilentlyContinue
        }
        Set-Service  $Name -StartupType Disabled -ErrorAction SilentlyContinue
        Write-Host "Service '$Name' disabled."
    }
}

# Disable Microsoft Defender
Write-Host "`n=== Disabling Microsoft Defender ==="
Disable-ServicePermanent -Name 'WinDefend'
Import-Module Defender -ErrorAction SilentlyContinue
$mpPrefs = @{
    DisableRealtimeMonitoring         = $true
    DisableBehaviorMonitoring         = $true
    DisableBlockAtFirstSeen           = $true
    DisableIOAVProtection             = $true
    DisablePrivacyMode                = $true
    DisableScriptScanning             = $true
    UILockdown                        = $true
    DisableArchiveScanning            = $true
    DisableIntrusionPreventionSystem  = $true
    DisableRemovableDriveScanning     = $true
}
try { Set-MpPreference @mpPrefs } catch { Write-Host 'Set-MpPreference failed (likely due to tamper protection), continuing…' }
# Persist via Group-Policy registry key
$defKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender'
if (-not (Test-Path $defKey)) { New-Item $defKey -Force | Out-Null }
Set-ItemProperty -Path $defKey -Name DisableAntiSpyware -Type DWord -Value 1

# Disable Windows Update
Write-Host "`n=== Disabling Windows Update services ==="
$updateServices = @(
    'wuauserv',      # Windows Update
    'UsoSvc',        # Update Orchestrator
    'WaaSMedicSvc',  # Update Medic
    'BITS'           # Background Intelligent Transfer (optional, but keeps WU silent)
)
$updateServices | ForEach-Object { Disable-ServicePermanent $_ }
# Block Automatic Updates via policy registry
$wuKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
if (-not (Test-Path $wuKey)) { New-Item $wuKey -Force | Out-Null }
Set-ItemProperty -Path $wuKey -Name NoAutoUpdate -Type DWord -Value 1
Set-ItemProperty -Path $wuKey -Name AUOptions   -Type DWord -Value 2   # Notify-before-download (redundant when service disabled)

# Disable Windows Defender Firewall
Write-Host "`n=== Disabling Windows Firewall ==="
try {
    Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled False  # Domain, Private, Public
    Write-Host 'Firewall profiles disabled.'
} catch {
    Write-Warning "Set-NetFirewallProfile failed: $_"
}
Disable-ServicePermanent -Name 'MpsSvc'
# Persist via policy registry so GP/Defender UI can’t turn it back on
$fwKey = 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall'
if (-not (Test-Path $fwKey)) { New-Item $fwKey -Force | Out-Null }
foreach ($profile in 'DomainProfile','PrivateProfile','PublicProfile') {
    $k = Join-Path $fwKey $profile
    if (-not (Test-Path $k)) { New-Item $k -Force | Out-Null }
    Set-ItemProperty -Path $k -Name EnableFirewall -Type DWord -Value 0
}
Write-Host 'Firewall disabled in policy registry.'

# === Disable SmartScreen globally ===
Write-Host "`n=== Disabling SmartScreen ==="
$sysKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System'
if (-not (Test-Path $sysKey)) { New-Item $sysKey -Force | Out-Null }
Set-ItemProperty -Path $sysKey -Name EnableSmartScreen      -Type DWord -Value 0
Set-ItemProperty -Path $sysKey -Name ShellSmartScreenLevel  -Type String -Value 'Off'
# Reputation-based checks for EXE/MSI downloads
$attKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments'
if (-not (Test-Path $attKey)) { New-Item $attKey -Force | Out-Null }
Set-ItemProperty -Path $attKey -Name ScanWithAntiVirus      -Type DWord -Value 2   # 2 = disabled
Set-ItemProperty -Path $attKey -Name SaveZoneInformation    -Type DWord -Value 2
Write-Host 'SmartScreen disabled.'

# === Enable Developer Mode (this enables symlinks) ===
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /v AllowDevelopmentWithoutDevLicense /d 1 /f
Write-Host 'Developer Mode enabled.'

# === Disable UAC ===
Write-Host "`n=== Disabling User Account Control (UAC) ==="
$uacKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
if (-not (Test-Path $uacKey)) { New-Item $uacKey -Force | Out-Null }
Set-ItemProperty -Path $uacKey -Name EnableLUA -Type DWord -Value 0
# Remove every kind of prompt even if UAC is later re-enabled
Set-ItemProperty -Path $uacKey -Name ConsentPromptBehaviorAdmin -Type DWord -Value 0
Set-ItemProperty -Path $uacKey -Name ConsentPromptBehaviorUser  -Type DWord -Value 0
Set-ItemProperty -Path $uacKey -Name PromptOnSecureDesktop      -Type DWord -Value 0
Write-Host 'UAC disabled.'


Write-Host "`nSuccess! :3 Please restart the machine for the changes to take effect."