1) Is there a command line parameter that allows me to use the command PowerShell -Command "single-powershell-command" or PowerShell -ExecutionPolicy Bypass -Command "single-powershell-command" from cmd.exe in Windows 10? Currently Windows Defender interpretes both forms of my command malicious and blocks them. 2) What other methods can I use from cmd.exe to prevent this kind of overreaction from Windows Defender? I prefer native methods over modifying policies or Windows Registry or installing something. I can accept turning off Real-time Protection if it is turned on again immediately after the execution of my single PowerShell command and if turning off/on can both be done from cmd.exe.

1. There is no alternative command line parameter for powershell.exe from cmd.exe that guarantees Windows Defender will not flag your invocation as potentially malicious if it currently blocks both powershell -Command "..." and powershell -ExecutionPolicy Bypass -Command "...". Both syntaxes are standard for passing a single command, and -ExecutionPolicy Bypass (or similar options) only affect how PowerShell handles execution policy, not how Defender treats the invocation.stackoverflow+3

Windows Defender—and similar endpoint protection—are designed to specifically monitor and sometimes block calls to powershell.exe with those commonly abused parameters, regardless of whether the use is legitimate. There is no "stealth" parameter that circumvents this detection without fundamentally changing Defender's threat heuristics.

2. To work around such blocks while preferring native methods and avoiding registry/group policy or permanent security reductions:

• You can temporarily turn off Defender Real-time Protection before running your PowerShell task, then re-enable it immediately afterward. This can be done from the Windows Security UI, or more conveniently, via PowerShell commands:windowscentral+1

  • To turn off (requires running PowerShell as administrator and with Tamper Protection disabled):
    Set-MpPreference -DisableRealtimeMonitoring $true

  • To turn back on:
    Set-MpPreference -DisableRealtimeMonitoring $false
    These commands can be run from cmd.exe by invoking powershell.exe as administrator.windowscentral

• Note: If Tamper Protection is enabled (the default in recent Windows 10/11 builds), the PowerShell method above will not work until Tamper Protection is manually disabled through Windows Security. There is currently no native, automated, and undetectable method to bypass Tamper Protection via cmd.exe or PowerShell. You may need a manual step in Windows Security the first time.learn.microsoft+1

• You can also disable/enable real-time protection from the Windows Security graphical interface by toggling the setting in Virus & threat protection > Manage settings; this is a native method but not scriptable.ninjaone+1

• There are various "execution policy bypass" tricks (see, e.g., encoded or indirect execution with -EncodedCommand, or other techniques enumerated for testing or penetration purposes), but these are also likely to be flagged by Defender and are not more "native" or less suspicious than standard invocation.netspi

Important Caveats:

• Any scripting method for toggling Defender Real-time Protection requires administrator rights.

• Tamper Protection, if enabled, nullifies scripting approaches to toggle real-time protection by blocking the relevant PowerShell commands.learn.microsoft+1

• Disabling real-time protection, even briefly, creates a window of vulnerability. Use caution and ensure it is immediately reverted.

• There is no support for reliable, undetectable, fully native, and without-admin-rights toggling of Defender's behavior via cmd.exe alone.

In summary: There is no alternative parameter for powershell.exe invocation from cmd.exe to evade Defender's heuristics. Temporarily disabling real-time protection is the most direct native workaround, but is subject to Tamper Protection and always requires elevated rights.ninjaone+1