9. Microsoft Defender

Don’t turn this off unless you know what you are doing. You should first disable all of the options for windows defender before disabling the service, as cloud-based protection will cause 100% disk usage (in settings).

See Virus & threat protection settings for Windows Defender GUI settings. ref:w10-20h2-standalone-telemetry for telemetry services.

Danger

As of 20H2 Microsoft Defender can no longer be disabled; it will only disable on detection of other certified antivirus software. Disable all live scanning services instead.

After every major windows update, verify these settings.

Reference Reference

Disable tamper protection

Note

Tamper Protection can no longer be disabled (registry settings not honored). It must be disabled manually before changing Windows Defender settings.

GUI

⌘ + r › windowsdefender://settings › Virus & threat protection settings › Manage Settings

Tamper Protection

Updated: 2021-02-19 Reference

Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Defender\Features

TamperProtection

DWORD

4

TamperProtectionSource

DWORD

2

There is no GPO for this. 5 enables protection.

Updated: 2021-02-19 Reference

PS Exec
powershell (as admin)
PsExec64.exe -accepteula -d -i -s powershell -ExecutionPolicy Bypass Set-Itemproperty -path 'HKLM:SOFTWARE\Microsoft\Microsoft Defender\Features' -Name 'TamperProtection' -value 4
PsExec64.exe -accepteula -d -i -s powershell -ExecutionPolicy Bypass Set-Itemproperty -path 'HKLM:SOFTWARE\Microsoft\Microsoft Defender\Features' -Name 'TamperProtectionSource' -value 2

Sysinternals PSTools need to be installed disable via powershell.

Reference

Disable Microsoft Defender notifications

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Client Interface › Suppress all notifications

ENABLED

Updated: 2021-02-19 Reference

Disable Microsoft Defender Enhanced Notifications
GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Reporting › Turn off enhanced notifications

ENABLED

Updated: 2021-02-19

Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Reporting

DisableEnhancedNotifications

SZ

1

Updated: 2021-02-19

Disable Microsoft Defender Updates
GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Security Intelligence UpdatesAllow real-time security intelligence updates based on reports to Microsoft MAPS

ENABLED

Updated: 2021-02-19

Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Updates

named

DELETE

DELETE

Updated: 2021-02-19

Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Signature Updates

FallbackOrder

SZ

FileShares

DefinitionUpdateFileSharesSources

DELETE

DELETE

Updated: 2021-02-19

Disable Malicious Software Reporting Tool

This reports file information to Microsoft.

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Send file samples when further analysis is required

Never Send

Updated: 2021-02-19

Regedit

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT

DontReportInfectionInformation

DWORD

1

Updated: 2021-02-19

Disable Microsoft Defender Smart Screen
GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender SmartScreen › Explorer › Configure Microsoft Defender SmartScreen

DISABLED

Updated: 2021-02-19

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender SmartScreen › Explorer › Configure App Install Control

ENABLED

Turn off app recommendations

Updated: 2021-02-19

Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\SmartScreen

ConfigureAppInstallControlEnabled

DWORD

1

ConfigureAppInstallControl

SZ

Anywhere

Logically inversed from the equivalent GPO.

Updated: 2021-02-19

Disable Microsoft Defender real-time protection

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Real-time Protection

Turn off real-time protection

ENABLED

Turn on behavior monitoring

DISABLED

Scan all downloaded files and attachments

DISABLED

Monitor file and program activity on your computer

DISABLED

Turn on raw volume write notifications

DISABLED

Turn on process scanning whenever real-time protection is enabled

DISABLED

Define the maximum size of downloaded files and attachments to be scanned

DISABLED

Configure local setting override for turn on behavior monitoring

DISABLED

Configure local setting override for scanning all downloaded files and attachments

DISABLED

Configure local setting override for monitoring file and program activity on your computer

DISABLED

Configure local setting override to turn on real-time protection

DISABLED

Configure local setting override for monitoring for incoming and outgoing file activity

DISABLED

Configure monitoring for incoming and outgoing file and program activity

DISABLED

Updated: 2021-02-19

Disable windows defender notification icon
GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Security › Systray

Hide Windows Security Systray

ENABLED

Updated: 2021-02-19 Reference

GUI

⌘ › Task Manager › More Details › Startup

Microsoft Defender notification icon

DISABLED

Updated: 2021-02-19 Reference

Disable Microsoft Defender

As of Windows 1903 this setting only disables Microsoft Defender for Windows Server. Other settings still apply.

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Turn off Microsoft Defender Antivirus

ENABLED

Updated: 2021-02-19 Reference

Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender

DisableAntiSpyware

DWORD

1

Updated: 2021-02-19 Reference

9.1. Firewall

Endpoints for telemetry may change. Peridiocally verify these have not changed. See references for additional documentation.

Warning

These endpoints should be blocked or routed to a blackhole. See Pi-Hole and DNAT for Captive DNS.

Connected User Experiences and Telemetry endpoints

Microsoft Defender Advanced Threat Protection is country specific and the prefix changes by country, e.g.: de.vortex-win.data.microsoft.com

Release

Diagnostic Endpoint

Functional Endpoint

Settings Endpoint

1703 with 2018-09 cumulative update

v10c.vortex-win.data.microsoft.com

v20.vortex-win.data.microsoft.com

settings-win.data.microsoft.com

1803 without 2018-09 cumulative update

v10.events.data.microsoft.com

v20.vortex-win.data.microsoft.com

settings-win.data.microsoft.com

1709 or earlier

v10.vortex-win.data.microsoft.com

v20.vortex-win.data.microsoft.com

settings-win.data.microsoft.com

Diagnostic data services endpoints

Service

Endpoint

Microsoft Defender Advanced Threat Protection

https://wdcp.microsoft.com

https://wdcpalt.microsoft.com

References

  1. Configure Windows Diagnostic Data

  2. Manage connections from Windows 10 to Microsoft Services

  3. Remove Microsoft Defender Telemetry