Turn on cloud-delivered protection
Important
The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the Applies To section and look for specific call outs in this article where there might be differences.
Applies to:
Note
The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection.
You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways:
- Microsoft Intune
- Microsoft Endpoint Configuration Manager
- Group Policy
- PowerShell cmdlets.
You can also turn it on or off in individual clients with the Windows Security app.
See Use Microsoft cloud-delivered protection for an overview of Microsoft Defender Antivirus cloud-delivered protection.
For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see Configure and validate network connections.
Note
In Windows 10, there is no difference between the Basic and Advanced reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the Microsoft Privacy Statement.
Use Intune to turn on cloud-delivered protection
- Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and log in.
- On the Home pane, select Device configuration > Profiles.
- Select the Device restrictions profile type you want to configure. If you need to create a new Device restrictions profile type, see Configure device restriction settings in Microsoft Intune.
- Select Properties > Configuration settings: Edit > Microsoft Defender Antivirus.
- On the Cloud-delivered protection switch, select Enable.
- In the Prompt users before sample submission dropdown, select Send all data automatically.
For more information about Intune device profiles, including how to create and configure their settings, see What are Microsoft Intune device profiles?
Use Microsoft Endpoint Manager to turn on cloud-delivered protection
- Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and log in.
- Choose Endpoint security > Antivirus.
- Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see Configure device restriction settings in Microsoft Intune.
- Select Properties. Then, next to Configuration settings, choose Edit.
- Expand Cloud protection, and then in the Cloud-delivered protection level list, select one of the following:
- High: Applies a strong level of detection.
- High plus: Uses the High level and applies additional protection measures (may impact client performance).
- Zero tolerance: Blocks all unknown executables.
- Select Review + save, then choose Save.
For more information about configuring Microsoft Endpoint Configuration Manager, see How to create and deploy antimalware policies: Cloud-protection service.
Use Group Policy to turn on cloud-delivered protection
On your Group Policy management device, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.
In the Group Policy Management Editor, go to Computer configuration.
Select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > MAPS
Double-click Join Microsoft MAPS. Ensure the option is turned on and set to Basic MAPS or Advanced MAPS. Select OK.
Double-click Send file samples when further analysis is required. Ensure that the first option is set to Enabled and that the other options are set to either:
Send safe samples (1)
Send all samples (3)
Note
The Send safe samples (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
Warning
Setting the option to Always Prompt (0) will lower the protection state of the device. Setting it to Never send (2) means that the Block at First Sight feature of Microsoft Defender for Endpoint won't work.
Select OK.
Use PowerShell cmdlets to turn on cloud-delivered protection
The following cmdlets can turn on cloud-delivered protection:
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender cmdlets. Policy CSP - Defender also has more information specifically on -SubmitSamplesConsent.
Note
You can also set -SubmitSamplesConsent to SendSafeSamples
(the default setting), NeverSend
, or AlwaysPrompt
. The SendSafeSamples
setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
Warning
Setting -SubmitSamplesConsent to NeverSend
or AlwaysPrompt
will lower the protection level of the device. In addition, setting it to NeverSend
means that the Block at First Sight feature of Microsoft Defender for Endpoint won't work.
Use Windows Management Instruction (WMI) to turn on cloud-delivered protection
Use the Set method of the MSFT_MpPreference class for the following properties:
MAPSReporting
SubmitSamplesConsent
For more information about allowed parameters, see Windows Defender WMIv2 APIs
Turn on cloud-delivered protection on individual clients with the Windows Security app
Note
If the Configure local setting override for reporting Microsoft MAPS Group Policy setting is set to Disabled, then the Cloud-based protection setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for Defender.
Select the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:
Confirm that Cloud-based Protection and Automatic sample submission are switched to On.
Note
If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
Related articles
- Configure the cloud block timeout period
- Configure block at first sight
- Use PowerShell cmdlets to manage Microsoft Defender Antivirus
- Help secure Windows PCs with Endpoint Protection for Microsoft Intune]
- Defender cmdlets
- Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus
- How to create and deploy antimalware policies: Cloud-protection service
- Microsoft Defender Antivirus in Windows 10