Enable cloud-delivered protection in Windows Defender AV

Applies to:

  • Windows 10

Audience

  • Enterprise security administrators

Manageability available with

  • Group Policy
  • System Center Configuration Manager
  • PowerShell cmdlets
  • Windows Management Instruction (WMI)
  • Microsoft Intune
  • Windows Defender Security Center app

Note

The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.

You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.

See Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus for an overview of Windows Defender Antivirus cloud-delivered protection.

There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See Configure and validate network connections for Windows Defender AV for more details.

Note

In Windows 10, there is no difference between the Basic and Advanced options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the Microsoft Privacy Statement for more information on what we collect.

Use Group Policy to enable cloud-delivered protection:

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Administrative templates.

  4. Expand the tree to Windows components > Windows Defender Antivirus > MAPS

  5. Double-click the Join Microsoft MAPS setting and ensure the option is enabled and set to Basic MAPS or Advanced MAPS. Click OK.

  6. Double-click the Send file samples when further analysis is required setting and ensure the option is set to Enabled and the additional options are either of the following:

    1. Send safe samples (1)
    2. Send all samples (3)

      Warning

      Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the Block at First Sight feature will not function.

  7. Click OK.

Use Configuration Manager to enable cloud-delivered protection:

See How to create and deploy antimalware policies: Cloud-protection service for details on configuring System Center Configuration Manager (current branch).

Use PowerShell cmdlets to enable cloud-delivered protection:

Use the following cmdlets to enable cloud-delivered protection:

Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent Always

Note

You can also set -SubmitSamplesConsent to None. Setting it to Never will lower the protection state of the device, and setting it to 2 means the Block at First Sight feature will not function.

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to enable cloud-delivered protection:

Use the Set method of the MSFT_MpPreference class for the following properties:

MAPSReporting 
SubmitSamplesConsent

See the following for more information and allowed parameters:

Use Intune to enable cloud-delivered protection

  1. Sign in to the Azure portal.
  2. Select All services > Intune.
  3. In the Intune pane, select Device configuration > Profiles, and then select the Device restrictions profile type you want to configure. If you haven't yet created a Device restrictions profile type, or if you want to create a new one, see Configure device restriction settings in Microsoft Intune.
  4. Select Properties, select Settings: Configure, and then select Windows Defender Antivirus.
  5. On the Cloud-delivered protection switch, select Enable.
  6. In the Prompt users before sample submission dropdown, select Send all data without prompting.
  7. In the Submit samples consent dropdown, select one of the following:

    1. Send safe samples automatically
    2. Send all samples automatically

      Warning

      Setting to Always Prompt will lower the protection state of the device. Setting to Never send means the Block at First Sight feature will not function.

  8. Click OK to exit the Windows Defender Antivirus settings pane, click OK to exit the Device restrictions pane, and then click Save to save the changes to your Device restrictions profile.

For more information about Intune device profiles, including how to create and configure their settings, see What are Microsoft Intune device profiles?

Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app

Note

If the Configure local setting override for reporting Microsoft MAPS Group Policy setting is set to Disabled, then the Cloud-based protection setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.

  1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for Defender.

  2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:

Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app

  1. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.

Note

If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.