1.1. Virus & threat protection settings
Danger
As of 20H2 Microsoft Defender can no longer be disabled unless
antivirus is installed. Tamper Protection can no longer be disabled.
After every major windows update, verify these settings.
Windows Defender renamed to Microsoft Defender in 20H2. See Microsoft Defender for non-GUI Microsoft Defender settings. Telemetry for telemetry services.
1.1.1. Cloud-delivered protection
Disable Cloud-delivered protection
Previous versions labeled this as ‘Microsoft Antimalware Protection Service’ (MAPS). Uploads files and file hashes to Microsoft for any suspect file.
GPO
Policy must be enabled and set to disable to apply.
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Join Microsoft MAPS
☑
ENABLED
Join Microsoft MAPS
DISABLED
Updated: 2021-02-19 Reference
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Spynet
SpyNetReporting
DWORD
0
Updated: 2021-02-19 Reference
1.1.2. Automatic sample submission
Disable Automatic sample submission
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Send sample files when further analysis is required
☑
ENABLED
Send sample files when further analysis is required
Never
Updated: 2021-02-19 Reference
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Spynet
SubmitSamplesConsent
DWORD
2
Updated: 2021-02-19 Reference
1.1.3. Exclusions
Add hosts file exclusion
20H2 always notifies on host file changes, even if they are valid DNS
blackholes for telemetry. Do not add this exlcusion if you are not managing
the host file yourself.
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Exclusions › Path Exclusions
☑
ENABLED
Path Exclusions
› Value Name
C:\Windows\System32\drivers\etc\hosts
› Value
0
Updated: 2021-02-19 Reference
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\System32\drivers\etc\hosts
DWORD
0
Updated: 2021-02-19 Reference
1.1.4. Notifications
1.1.4.1. Virus & threat protection notifications
Disable Get informational notifications
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
DisableEnhancedNotifications
DWORD
1
Updated: 2021-02-19
Disable Recent activity and scan results
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection
SummaryNotificationDisabled
DWORD
1
Updated: 2021-02-19
Disable Threats found but no immediate action is needed
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection
NoActionNotificationDisabled
DWORD
1
Updated: 2021-02-19
Disable Files or activities are blocked
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection
FilesBlockedNotificationDisabled
DWORD
1
Updated: 2021-02-19
1.1.4.2. Get account protection notifications
Disable Get account protection notifications
Registry
HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection
DisableNotifications
DWORD
1
Updated: 2021-02-19 Reference
Disable Problems with Windows Hello
Registry
HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection
DisableWindowsHelloNotifications
DWORD
1
Updated: 2021-02-19 Reference
Disable Problems with Dynamic lock
Registry
HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection]
DisableDynamiclockNotifications
DWORD
1
Updated: 2021-02-19 Reference
1.1.5. Firewall
Endpoints for telemetry may change. Peridiocally verify these have not changed. See references for additional documentation.
Warning
These endpoints should be blocked or routed to a blackhole. See Pi-Hole and DNAT for Captive DNS.
Connected User Experiences and Telemetry endpoints
Microsoft Defender Advanced Threat Protection is country specific and the prefix changes by country, e.g.: de.vortex-win.data.microsoft.com
Release |
Diagnostic Endpoint |
Functional Endpoint |
Settings Endpoint |
|---|---|---|---|
1703 with 2018-09 cumulative update |
v10c.vortex-win.data.microsoft.com |
v20.vortex-win.data.microsoft.com |
settings-win.data.microsoft.com |
1803 without 2018-09 cumulative update |
v10.events.data.microsoft.com |
v20.vortex-win.data.microsoft.com |
settings-win.data.microsoft.com |
1709 or earlier |
v10.vortex-win.data.microsoft.com |
v20.vortex-win.data.microsoft.com |
settings-win.data.microsoft.com |
Diagnostic data services endpoints
Service |
Endpoint |
|---|---|
Microsoft Defender Advanced Threat Protection |
|
› |
References