Skip to main content

Disable Microsoft Security Client Policy Configuration Tool

Apply Now
Works with Windows 10 and 11Works with Windows Vista, XP, 7, 8, 10, 11, and Windows Server 2008 or newer.
  • Single actionThis page belongs to a script, containing basic changes to achieve a task.
  • Windows onlyThis script improves your privacy on Windows
  • Impact: HighSystem Functionality Loss Risk: High
    This action improves privacy with high impact when you run the recommended script.
  • Batch (batchfile)These changes use Windows system commands to update your settings.
  • Fully reversible

    You can fully restore this action (revert back to the original behavior) using this website.

    The restore/revert methods provided here can help you fix issues.

Overview

This script disables the ConfigSecurityPolicy.exe process.

This process is also known as Microsoft Security Client Policy Configuration Tool 1 2 3 4 5 6. It was formerly known as Microsoft Security Client Policy Configure 7.

This tool is part of Defender Antivirus 3 8 9, Defender for Endpoint 1 2 and the Security Configuration Engine 5. The Security Configuration Engine handles security configuration requests on Windows 10. The engine functions as an extension of the Local Group Policy Editor for security settings 10.

It is used for managing security policies and settings 3 4 5 8 9 11 12. These settings include user account control, password policies, audit policies, and other security-related settings 11.

The tool allows remote management over the Internet 3 5 13 through:

  • Configuration Manager 4 8
  • Microsoft Intune 4 8
  • System Center Endpoint Protection 12

It tracks and logs the status of policy enforcement 9, which may expose system data.

This script improves your privacy by:

  • Preventing automatic policy updates from Microsoft servers
  • Reducing data collection and communication with Microsoft services
  • Limiting remote management capabilities that may be used to monitor system behavior

This script also improves your security by removing a potential attack target. Malicious actors may exploit this tool to:

  • Download harmful software 3 5
  • Extract sensitive data 3 5
  • Execute unauthorized code 5
  • Disable security features 5

This script may improve system performance by:

  • Reducing background processes
  • Decreasing startup time
  • Lowering system resource usage

However, disabling this tool presents the following security risks:

  • May prevent automatic security policy updates
  • May leave the system vulnerable to threats that could be blocked by updated policies
  • May prevent administrators from managing security settings in work or school environments, potentially violating organizational policies
Caution

Disabling this tool may reduce protection against malware and other security threats.

Technical Details

File locations:

  • Modern Windows: %PROGRAMFILES%\Windows Defender\ConfigSecurityPolicy.exe 1 13
  • Older versions:
  • %PROGRAMFILES%\Microsoft Security Client\ConfigSecurityPolicy.exe 1 7 8
  • %PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\ConfigSecurityPolicy.exe 3 13
  1. Not Advised

    This script should only be used by advanced users.

    This script is not recommended for daily use as it breaks important functionality.

    Consider creating a system restore point before doing any changes.

  2. Security Trade-off

    This action prioritizes privacy over certain security features. It's not recommended and should only be used by advanced users after understanding its implications.

    Increased Privacy

    Enhanced privacy through reduced data collection and tracking

    Decreased Security

    Some security features will be disabled or limited

    This script can be reversed, this allows you to restore the default system security.

Sources
PrivacyLearn.com maintains strict sourcing standards for accuracy, integrity and up-to-date content. Our content relies on authoritative sources including vendor documentation, industry standards, and verified research. Learn more about our verification process and quality standards in our editorial standards page.

Apply Now

Choose one of three ways to apply:

Download script

Download and run the script directly
  • No app needed
  • Offline usage
  • Easy-to-apply
  • Free
  • Open-source
Help

How to apply or restore "Disable Microsoft Security Client Policy Configuration Tool" using script

  • ≈ 2 min to complete
  • Tools: Web Browser
  • Difficulty: Simple
  • ≈ 5 instructions
  1. 1

    Download

    Download the script file by clicking on the   Apply protection  button above.
    Use   Undo protection button above to restore changes.
  2. 2

    Keep the file

    If warned by your browser, keep the file.
  3. 3

    Open

    Open the downloaded file.
  4. 4

    Exit

    Once it's done, press any key to exit the window.
  5. 5

    Restart

    Restart your computer for all changes to take effect.

Apply with privacy.sexy

Guided, automated application with safety checks
  • Recommended for most users
  • Includes safety checks
  • Free
  • Open-source
  • Popular
  • Offline/Online usage
Open privacy.sexy
Help

How to apply or restore "Disable Microsoft Security Client Policy Configuration Tool" using privacy.sexy

  • ≈ 3 min to complete
  • Tools: privacy.sexy
  • Difficulty: Simple
  • ≈ 4 instructions
privacy.sexy is free and open-source application that lets securely apply this action easily with more advanced options.
  1. 1

    Open or download

    Open or download the desktop application
  2. 2

    Choose script

    1. Search for the script name: Disable Microsoft Security Client Policy Configuration Tool
    2. Check the script by clicking on the checkbox.
  3. 3

    Run

    Click on ▶️ Run button at the bottom of the page.

    This button only appears on desktop version (recommended). On browser, use 💾 Save button.

Run commands

Copy and run commands manually Requires technical knowledge
Apply changes
:: Check and terminate the running process "ConfigSecurityPolicy.exe"
tasklist /fi "ImageName eq ConfigSecurityPolicy.exe" /fo csv 2>NUL | find /i "ConfigSecurityPolicy.exe">NUL && (
    echo ConfigSecurityPolicy.exe is running and will be killed.
    taskkill /f /im ConfigSecurityPolicy.exe
) || (
    echo Skipping, ConfigSecurityPolicy.exe is not running.
)
:: Configure termination of "ConfigSecurityPolicy.exe" immediately upon its startup
:: Set the registry value: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe!Debugger"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe'; $data =  '%SYSTEMROOT%\System32\taskkill.exe'; reg add 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe' /v 'Debugger' /t 'REG_SZ' /d "^""$data"^"" /f"
:: Add a rule to prevent the executable "ConfigSecurityPolicy.exe" from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "$executableFilename='ConfigSecurityPolicy.exe'; try { $registryPathForDisallowRun='HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'; $existingBlockEntries = Get-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -ErrorAction Ignore; $nextFreeRuleIndex = 1; if ($existingBlockEntries) { $existingBlockingRuleForExecutable = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Value -eq $executableFilename }; if ($existingBlockingRuleForExecutable) { $existingBlockingRuleIndexForExecutable = $existingBlockingRuleForExecutable.Name; Write-Output "^""Skipping, no action needed: '$executableFilename' is already blocked under rule index `"^""$existingBlockingRuleIndexForExecutable`"^""."^""; exit 0; }; $occupiedRuleIndexes = $existingBlockEntries.PSObject.Properties | Where-Object { $_.Name -Match '^\d+$' } | Select -ExpandProperty Name; if ($occupiedRuleIndexes) { while ($occupiedRuleIndexes -Contains $nextFreeRuleIndex) { $nextFreeRuleIndex += 1; }; }; }; Write-Output "^""Adding block rule for `"^""$executableFilename`"^"" under rule index `"^""$nextFreeRuleIndex`"^""."^""; if (!(Test-Path $registryPathForDisallowRun)) { New-Item -Path "^""$registryPathForDisallowRun"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$registryPathForDisallowRun"^"" -Name "^""$nextFreeRuleIndex"^"" -PropertyType String -Value "^""$executableFilename"^"" ` -ErrorAction Stop | Out-Null; Write-Output "^""Successfully blocked `"^""$executableFilename`"^"" with rule index `"^""$nextFreeRuleIndex`"^""."^""; } catch { Write-Error "^""Failed to block `"^""$executableFilename`"^"": $_"^""; Exit 1; }"
:: Activate the DisallowRun policy to block specified programs from running via File Explorer
PowerShell -ExecutionPolicy Unrestricted -Command "try { $fileExplorerDisallowRunRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'; $currentDisallowRunPolicyValue = Get-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -ErrorAction Ignore | Select -ExpandProperty DisallowRun; if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) { Write-Output "^""Creating DisallowRun policy at `"^""$fileExplorerDisallowRunRegistryPath`"^""."^""; if (!(Test-Path $fileExplorerDisallowRunRegistryPath)) { New-Item -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Force -ErrorAction Stop | Out-Null; }; New-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -PropertyType DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; Exit 0; }; if ($currentDisallowRunPolicyValue -eq 1) { Write-Output 'Skipping, no action needed: DisallowRun policy is already in place.'; Exit 0; }; Write-Output 'Updating DisallowRun policy from unexpected value `"^""$currentDisallowRunPolicyValue`"^"" to `"^""1`"^"".'; Set-ItemProperty -Path "^""$fileExplorerDisallowRunRegistryPath"^"" -Name 'DisallowRun' -Value 1 -Type DWORD -Force -ErrorAction Stop | Out-Null; Write-Output 'Successfully activated DisallowRun policy.'; } catch { Write-Error "^""Failed to activate DisallowRun policy: $_"^""; Exit 1; }"
:: Soft delete files matching pattern: "%PROGRAMFILES%\Windows Defender\ConfigSecurityPolicy.exe"  as TrustedInstaller
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$pathGlobPattern = "^""%PROGRAMFILES%\Windows Defender\ConfigSecurityPolicy.exe"^""'+"^""`r`n"^""+'$expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern)'+"^""`r`n"^""+'Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""'+"^""`r`n"^""+''+"^""`r`n"^""+'$renamedCount   = 0'+"^""`r`n"^""+'$skippedCount   = 0'+"^""`r`n"^""+'$failedCount    = 0'+"^""`r`n"^""+''+"^""`r`n"^""+'$foundAbsolutePaths = @()'+"^""`r`n"^""+''+"^""`r`n"^""+'try {'+"^""`r`n"^""+'    $foundAbsolutePaths += @('+"^""`r`n"^""+'        Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName'+"^""`r`n"^""+'    )'+"^""`r`n"^""+'} catch [System.Management.Automation.ItemNotFoundException] {'+"^""`r`n"^""+'    <# Swallow, do not run `Test-Path` before, it''s unreliable for globs requiring extra permissions #>'+"^""`r`n"^""+'}'+"^""`r`n"^""+'$foundAbsolutePaths = $foundAbsolutePaths   `'+"^""`r`n"^""+'    | Select-Object -Unique                 `'+"^""`r`n"^""+'    | Sort-Object -Property { $_.Length } -Descending'+"^""`r`n"^""+'if (!$foundAbsolutePaths) {'+"^""`r`n"^""+'    Write-Host ''Skipping, no items available.'''+"^""`r`n"^""+'    exit 0'+"^""`r`n"^""+'}'+"^""`r`n"^""+'Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""'+"^""`r`n"^""+'foreach ($path in $foundAbsolutePaths) {'+"^""`r`n"^""+'    if (Test-Path -Path $path -PathType Container) {'+"^""`r`n"^""+'    Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""'+"^""`r`n"^""+'    $skippedCount++'+"^""`r`n"^""+'    continue'+"^""`r`n"^""+'}'+"^""`r`n"^""+'if($revert -eq $true) {'+"^""`r`n"^""+'    if (-not $path.EndsWith(''.OLD'')) {'+"^""`r`n"^""+'        Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""'+"^""`r`n"^""+'        $skippedCount++'+"^""`r`n"^""+'        continue'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'} else {'+"^""`r`n"^""+'    if ($path.EndsWith(''.OLD'')) {'+"^""`r`n"^""+'        Write-Host "^""Skipping backup file: `"^""$path`"^""."^""'+"^""`r`n"^""+'        $skippedCount++'+"^""`r`n"^""+'        continue'+"^""`r`n"^""+'    }'+"^""`r`n"^""+'}'+"^""`r`n"^""+'$originalFilePath = $path'+"^""`r`n"^""+'Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""'+"^""`r`n"^""+'if (-Not (Test-Path $originalFilePath)) {'+"^""`r`n"^""+'    Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""'+"^""`r`n"^""+'    $skippedCount++'+"^""`r`n"^""+'    exit 0'+"^""`r`n"^""+'}'+"^""`r`n"^""+''+"^""`r`n"^""+'if ($revert -eq $true) {'+"^""`r`n"^""+'    $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4)'+"^""`r`n"^""+'} else {'+"^""`r`n"^""+'    $newFilePath = "^""$($originalFilePath).OLD"^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+'try {'+"^""`r`n"^""+'    Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop'+"^""`r`n"^""+'    Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""'+"^""`r`n"^""+'    $renamedCount++'+"^""`r`n"^""+'    '+"^""`r`n"^""+'} catch {'+"^""`r`n"^""+'    Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""'+"^""`r`n"^""+'    $failedCount++'+"^""`r`n"^""+'    '+"^""`r`n"^""+'}'+"^""`r`n"^""+'}'+"^""`r`n"^""+'if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {'+"^""`r`n"^""+'    Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+'if ($failedCount -gt 0) {'+"^""`r`n"^""+'    Write-Warning "^""Failed to process $($failedCount) items."^""'+"^""`r`n"^""+'}'+"^""`r`n"^""+''; Invoke-AsTrustedInstaller $cmd"
Help

How to apply or restore "Disable Microsoft Security Client Policy Configuration Tool" using commands

  • ≈ 2 min to complete
  • Tools: Command Prompt
  • Difficulty: Medium
  • ≈ 3 instructions
 View step-by-step guide with screenshots
  1. 1

    Open Command Prompt

    Open Command Prompt as Administrator.
  2. 2

    Copy code

    Copy the code:
    Copy Apply Code Copy Revert Code
  3. 3

    Paste & run

    Paste the commands into Command Prompt and press Enter to run.

    Some changes require a system restart to take effect

Similar Guides

Wider Goal

Guides below includes this guide to achieve a wider goal.See other more general settings that includes this one as one of its actions.
These plans combine multiple privacy settings, including this one, for stronger protection.
This category contains scripts that disable Defender Antivirus management capabilities. Defender Antivirus uses management features to control how it wor...

Disable Defender Antivirus management

Same Goal

Other guides in Disable Defender Antivirus management See settings that are in the same category as this guide.
Using other actions in the same category may help you achieve your goal better.
Disable Defender Antivirus remote management
Disable Defender Antivirus command-line library
Disable Defender Antivirus command-line utility
Disable Defender Antivirus WMI management

About the Creators

These people have authored this documentation and written its scripts:

  • Avatar of undergroundwires. The creator of PrivacyLearn and privacy.sexy. Black and white portrait showing a person wearing a polka dot tie and suit jacket, reflecting the professional expertise behind the privacy protection tools.
    • Certified security professional
    • 7+ years experience securing banks
    • Open-source developer since 2005
    • EU advisor, Public Speaker, Moderator
    • Hundreds across the globe
    • Testers, reviewers, developers
    • Companies, military agencies
    • Community since 2017
About Us

Reviewed By

This guide has undergone comprehensive auditing and peer review:

  • Expert review by undergroundwires

    • Verified technical accuracy and editorial standards
    • Assessed system impact and user privacy risks
    • Audited and verified using automated security tests

  • Public review by large community

    • Privacy enthusiasts and professionals peer-reviewed
    • Millions of end-users tested across different environments
    • Audited and verified using third-party security software

History

We continually monitor our guides, their impact and other potential privacy options. We update our guides when new information becomes available. On every update, we publicly store who made the change, what has been changed, why the change was made and when the change was made.

Review Change History Our Change Process