1.1. Virus & threat protection settings

Danger

As of 20H2 Microsoft Defender can no longer be disabled unless antivirus is installed. Tamper Protection can no longer be disabled.

After every major windows update, verify these settings.

Windows Defender renamed to Microsoft Defender in 20H2. See Microsoft Defender for non-GUI Microsoft Defender settings. Telemetry for telemetry services.

1.1.1. Real-time protection

Disable Real-Time protection

Warning

Only disable if you know what you are doing.

Disable Real-Time protection

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Real-time Protection

Turn off real-time protection

ENABLED

Turn on behavior monitoring

DISABLED

Scan all downloaded files and attachments

DISABLED

Monitor file and program activity on your computer

DISABLED

Turn on raw volume write notifications

DISABLED

Turn on process scanning whenever real-time protection is enabled

DISABLED

Define the maximum size of downloaded files and attachments to be scanned

DISABLED

Configure local setting override for turn on behavior monitoring

DISABLED

Configure local setting override for scanning all downloaded files and attachments

DISABLED

Configure local setting override for monitoring file and program activity on your computer

DISABLED

Configure local setting override to turn on real-time protection

DISABLED

Configure local setting override for monitoring for incoming and outgoing file activity

DISABLED

Configure monitoring for incoming and outgoing file and program activity

DISABLED

Updated: 2021-02-19

1.1.2. Cloud-delivered protection

Disable Cloud-delivered protection

Previous versions labeled this as ‘Microsoft Antimalware Protection Service’ (MAPS). Uploads files and file hashes to Microsoft for any suspect file.

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Join Microsoft MAPS

ENABLED

Join Microsoft MAPS

DISABLED

Updated: 2021-02-19 Reference

1.1.3. Automatic sample submission

Disable Automatic sample submission
GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Send sample files when further analysis is required

ENABLED

Send sample files when further analysis is required

Never

Updated: 2021-02-19 Reference

1.1.4. Exclusions

Add hosts file exclusion

20H2+ always notifies on host file changes, even if they are valid DNS blackholes for telemetry. Do not add this exclusion if you are not managing the host file yourself.

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Exclusions › Path Exclusions

ENABLED

Path Exclusions

› Value Name

C:\Windows\System32\drivers\etc\hosts

› Value

0

Updated: 2021-02-19 Reference

1.1.5. Notifications

1.1.5.1. Virus & threat protection notifications

Turn off enhanced notifications

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Reporting › Turn off enhanced notifications

ENABLED

Updated: 2022-01-20 Reference

Hide notifications

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Client interface › Suppress all notifications

ENABLED

Updated: 2022-01-20 Reference

Hide reboot notifications

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Client interface › Suppresses reboot notifications

ENABLED

Updated: 2022-01-20 Reference

Disable Get informational notifications
Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications

DisableEnhancedNotifications

DWORD

1

Updated: 2021-02-19

Disable Recent activity and scan results
Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection

SummaryNotificationDisabled

DWORD

1

Updated: 2021-02-19

Disable Threats found but no immediate action is needed
Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection

NoActionNotificationDisabled

DWORD

1

Updated: 2021-02-19

Disable Files or activities are blocked
Regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection

FilesBlockedNotificationDisabled

DWORD

1

Updated: 2021-02-19

1.1.5.2. Get account protection notifications

Disable Get account protection notifications
Regedit

HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection

DisableNotifications

DWORD

1

Updated: 2021-02-19 Reference

Disable Problems with Windows Hello
Regedit

HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection

DisableWindowsHelloNotifications

DWORD

1

Updated: 2021-02-19 Reference

Disable Problems with Dynamic lock
Regedit

HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection

DisableDynamiclockNotifications

DWORD

1

Updated: 2021-02-19 Reference

1.1.6. Firewall

Endpoints for telemetry may change. Peridiocally verify these have not changed. See references for additional documentation.

Warning

These endpoints should be blocked or routed to a blackhole. See Pi-Hole and DNAT for Captive DNS.

Connected User Experiences and Telemetry endpoints

Microsoft Defender Advanced Threat Protection is country specific and the prefix changes by country, e.g.: de.vortex-win.data.microsoft.com

Release

Diagnostic Endpoint

Functional Endpoint

Settings Endpoint

1703 with 2018-09 cumulative update

v10c.vortex-win.data.microsoft.com

v20.vortex-win.data.microsoft.com

settings-win.data.microsoft.com

1803 without 2018-09 cumulative update

v10.events.data.microsoft.com

v20.vortex-win.data.microsoft.com

settings-win.data.microsoft.com

1709 or earlier

v10.vortex-win.data.microsoft.com

v20.vortex-win.data.microsoft.com

settings-win.data.microsoft.com

Diagnostic data services endpoints

Service

Endpoint

Microsoft Defender Advanced Threat Protection

https://wdcp.microsoft.com

https://wdcpalt.microsoft.com

References

  1. Configure Windows Diagnostic Data

  2. Manage connections from Windows 10 to Microsoft Services

  3. Remove Microsoft Defender Telemetry