Enable cloud-delivered protection in Windows Defender AV
- Windows 10
- Enterprise security administrators
Manageability available with
- Group Policy
- System Center Configuration Manager
- PowerShell cmdlets
- Windows Management Instruction (WMI)
- Microsoft Intune
- Windows Defender Security Center app
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
See Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus for an overview of Windows Defender Antivirus cloud-delivered protection.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See Configure and validate network connections for Windows Defender AV for more details.
In Windows 10, there is no difference between the Basic and Advanced options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the Microsoft Privacy Statement for more information on what we collect.
Use Group Policy to enable cloud-delivered protection:
On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
In the Group Policy Management Editor go to Computer configuration.
Click Policies then Administrative templates.
Expand the tree to Windows components > Windows Defender Antivirus > MAPS
Double-click the Join Microsoft MAPS setting and ensure the option is enabled and set to Basic MAPS or Advanced MAPS. Click OK.
Double-click the Send file samples when further analysis is required setting and ensure the option is set to Enabled and the additional options are either of the following:
- Send safe samples (1)
Send all samples (3)
Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the Block at First Sight feature will not function.
Use Configuration Manager to enable cloud-delivered protection:
See How to create and deploy antimalware policies: Cloud-protection service for details on configuring System Center Configuration Manager (current branch).
Use PowerShell cmdlets to enable cloud-delivered protection:
Use the following cmdlets to enable cloud-delivered protection:
Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent Always
You can also set -SubmitSamplesConsent to
None. Setting it to
Never will lower the protection state of the device, and setting it to 2 means the Block at First Sight feature will not function.
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI) to enable cloud-delivered protection:
Use the Set method of the MSFT_MpPreference class for the following properties:
See the following for more information and allowed parameters:
Use Intune to enable cloud-delivered protection
- Open the Microsoft Intune administration console, and navigate to the associated policy you want to configure.
Under the Endpoint Protection setting, scroll down to the Endpoint Protection Service section set the Submit files automatically when further analysis is required setting to either of the following:
- Send samples automatically
Send all samples automatically
Setting to Always Prompt will lower the protection state of the device. Setting to Never send means the Block at First Sight feature will not function.
Scroll down to the Microsoft Active Protection Service section and set the following settings:
Setting Set to Join Microsoft Active Protection Service Yes Membership level Advanced Receive dynamic definitions based on Microsoft Active Protection Service reports Yes
Save and deploy the policy as usual.
See Help secure Windows PCs with Endpoint Protection for Microsoft Intune for more details.
Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app
If the Configure local setting override for reporting Microsoft MAPS Group Policy setting is set to Disabled, then the Cloud-based protection setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for Defender.
Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:
- Confirm that Cloud-based Protection and Automatic sample submission are switched to On.
If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
- Configure the cloud block timeout period
- Configure the block at first sight feature
- Use PowerShell cmdlets to configure and run Windows Defender Antivirus
- Help secure Windows PCs with Endpoint Protection for Microsoft Intune]
- Defender cmdlets
- Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
- How to create and deploy antimalware policies: Cloud-protection service
- Windows Defender Antivirus in Windows 10