1.1. Virus & threat protection settings

Danger

As of 20H2 Microsoft Defender can no longer be disabled unless antivirus is installed. Tamper Protection can no longer be disabled.

After every major windows update, verify these settings.

Windows Defender renamed to Microsoft Defender in 20H2. See Microsoft Defender for non-GUI Microsoft Defender settings. Telemetry for telemetry services.

1.1.1. Cloud-delivered protection

Disable Cloud-delivered protection

Previous versions labeled this as ‘Microsoft Antimalware Protection Service’ (MAPS). Uploads files and file hashes to Microsoft for any suspect file.

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Join Microsoft MAPS

ENABLED

Join Microsoft MAPS

DISABLED

Policy must be enabled and set to disable to apply.

Updated: 2021-02-19 Reference

Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Spynet

SpyNetReporting

DWORD

0

Updated: 2021-02-19 Reference

1.1.2. Automatic sample submission

Disable Automatic sample submission
GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Send sample files when further analysis is required

ENABLED

Send sample files when further analysis is required

Never

Updated: 2021-02-19 Reference

Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Spynet

SubmitSamplesConsent

DWORD

2

Updated: 2021-02-19 Reference

1.1.3. Exclusions

Add hosts file exclusion

20H2 always notifies on host file changes, even if they are valid DNS blackholes for telemetry. Do not add this exlcusion if you are not managing the host file yourself.

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Exclusions › Path Exclusions

ENABLED

Path Exclusions

› Value Name

C:\Windows\System32\drivers\etc\hosts

› Value

0

Updated: 2021-02-19 Reference

Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

C:\Windows\System32\drivers\etc\hosts

DWORD

0

Updated: 2021-02-19 Reference

1.1.4. Notifications

1.1.4.1. Virus & threat protection notifications

Disable Get informational notifications
Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications

DisableEnhancedNotifications

DWORD

1

Updated: 2021-02-19

Disable Recent activity and scan results
Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection

SummaryNotificationDisabled

DWORD

1

Updated: 2021-02-19

Disable Threats found but no immediate action is needed
Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection

NoActionNotificationDisabled

DWORD

1

Updated: 2021-02-19

Disable Files or activities are blocked
Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection

FilesBlockedNotificationDisabled

DWORD

1

Updated: 2021-02-19

1.1.4.2. Get account protection notifications

Disable Get account protection notifications
Regedit

HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection

DisableNotifications

DWORD

1

Updated: 2021-02-19 Reference

Disable Problems with Windows Hello
Regedit

HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection

DisableWindowsHelloNotifications

DWORD

1

Updated: 2021-02-19 Reference

Disable Problems with Dynamic lock
Regedit

HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection]

DisableDynamiclockNotifications

DWORD

1

Updated: 2021-02-19 Reference

1.1.5. Firewall

Endpoints for telemetry may change. Peridiocally verify these have not changed. See references for additional documentation.

Warning

These endpoints should be blocked or routed to a blackhole. See Pi-Hole and DNAT for Captive DNS.

Connected User Experiences and Telemetry endpoints

Microsoft Defender Advanced Threat Protection is country specific and the prefix changes by country, e.g.: de.vortex-win.data.microsoft.com

Release

Diagnostic Endpoint

Functional Endpoint

Settings Endpoint

1703 with 2018-09 cumulative update

v10c.vortex-win.data.microsoft.com

v20.vortex-win.data.microsoft.com

settings-win.data.microsoft.com

1803 without 2018-09 cumulative update

v10.events.data.microsoft.com

v20.vortex-win.data.microsoft.com

settings-win.data.microsoft.com

1709 or earlier

v10.vortex-win.data.microsoft.com

v20.vortex-win.data.microsoft.com

settings-win.data.microsoft.com

Diagnostic data services endpoints

Service

Endpoint

Microsoft Defender Advanced Threat Protection

https://wdcp.microsoft.com

https://wdcpalt.microsoft.com

References

  1. Configure Windows Diagnostic Data

  2. Manage connections from Windows 10 to Microsoft Services

  3. Remove Microsoft Defender Telemetry