Enable cloud-delivered protection
Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
- Microsoft Defender Antivirus
The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection.
You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
See Use Microsoft cloud-delivered protection for an overview of Microsoft Defender Antivirus cloud-delivered protection.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See Configure and validate network connections for more details.
In Windows 10, there is no difference between the Basic and Advanced reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the Microsoft Privacy Statement for more information on what we collect.
Use Intune to enable cloud-delivered protection
Sign in to the Azure portal.
Select All services > Intune.
In the Intune pane, select Device configuration > Profiles, and then select the Device restrictions profile type you want to configure. If you haven't yet created a Device restrictions profile type, or if you want to create a new one, see Configure device restriction settings in Microsoft Intune.
Select Properties, select Settings: Configure, and then select Microsoft Defender Antivirus.
On the Cloud-delivered protection switch, select Enable.
In the Prompt users before sample submission dropdown, select Send all data without prompting.
In the Submit samples consent dropdown, select one of the following:
Send safe samples automatically
Send all samples automatically
The Send safe samples automatically option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
Setting to Always Prompt will lower the protection state of the device. Setting to Never send means the Block at First Sight feature of Microsoft Defender ATP won't work.
Click OK to exit the Microsoft Defender Antivirus settings pane, click OK to exit the Device restrictions pane, and then click Save to save the changes to your Device restrictions profile.
For more information about Intune device profiles, including how to create and configure their settings, see What are Microsoft Intune device profiles?
Use Configuration Manager to enable cloud-delivered protection
See How to create and deploy antimalware policies: Cloud-protection service for details on configuring Microsoft Endpoint Configuration Manager (current branch).
Use Group Policy to enable cloud-delivered protection
On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
In the Group Policy Management Editor go to Computer configuration.
Select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > MAPS
Double-click Join Microsoft MAPS. Ensure the option is enabled and set to Basic MAPS or Advanced MAPS. Select OK.
Double-click Send file samples when further analysis is required. Ensure that the option is set to Enabled and that the other options are either of the following:
Send safe samples (1)
Send all samples (3)
The Send safe samples (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
Setting the option to Always Prompt (0) will lower the protection state of the device. Setting it to Never send (2) means that the Block at First Sight feature of Microsoft Defender ATP won't work.
Use PowerShell cmdlets to enable cloud-delivered protection
Use the following cmdlets to enable cloud-delivered protection:
Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent SendAllSamples
See Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Microsoft Defender Antivirus. Policy CSP - Defender also has more information specifically on -SubmitSamplesConsent.
You can also set -SubmitSamplesConsent to
SendSafeSamples (the default setting),
SendSafeSamples setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
Setting -SubmitSamplesConsent to
AlwaysPrompt will lower the protection level of the device. In addition, setting it to
NeverSend means that the Block at First Sight feature of Microsoft Defender ATP won't work.
Use Windows Management Instruction (WMI) to enable cloud-delivered protection
Use the Set method of the MSFT_MpPreference class for the following properties:
See the following for more information and allowed parameters:
Enable cloud-delivered protection on individual clients with the Windows Security app
If the Configure local setting override for reporting Microsoft MAPS Group Policy setting is set to Disabled, then the Cloud-based protection setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Defender.
Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:
Confirm that Cloud-based Protection and Automatic sample submission are switched to On.
If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
- Configure the cloud block timeout period
- Configure block at first sight
- Use PowerShell cmdlets to manage Microsoft Defender Antivirus
- Help secure Windows PCs with Endpoint Protection for Microsoft Intune]
- Defender cmdlets
- Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus
- How to create and deploy antimalware policies: Cloud-protection service
- Microsoft Defender Antivirus in Windows 10