9. Microsoft Defender
Don’t turn this off unless you know what you are doing. You should first disable all of the options for windows defender before disabling the service, as cloud-based protection will cause 100% disk usage (in settings).
See Virus & threat protection settings for Windows Defender GUI settings. ref:w10-20h2-standalone-telemetry for telemetry services.
Danger
As of 20H2
Microsoft Defender can no longer be disabled; it will only
disable on detection of other certified antivirus software. Disable all live
scanning services instead.
After every major windows update, verify these settings.
Disable tamper protection
Note
Tamper Protection
can no longer be disabled (registry settings not
honored). It must be disabled manually before changing Windows Defender
settings.
GUI
⌘ + r › windowsdefender://settings › Virus & threat protection settings › Manage Settings
Tamper Protection
☐
Updated: 2021-02-19 Reference
Registry
PS Exec
PsExec64.exe -accepteula -d -i -s powershell -ExecutionPolicy Bypass Set-Itemproperty -path 'HKLM:SOFTWARE\Microsoft\Microsoft Defender\Features' -Name 'TamperProtection' -value 4
PsExec64.exe -accepteula -d -i -s powershell -ExecutionPolicy Bypass Set-Itemproperty -path 'HKLM:SOFTWARE\Microsoft\Microsoft Defender\Features' -Name 'TamperProtectionSource' -value 2
Sysinternals PSTools need to be installed disable via powershell.
Disable Microsoft Defender notifications
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Client Interface › Suppress all notifications
☑
ENABLED
Updated: 2021-02-19 Reference
Disable Microsoft Defender Enhanced Notifications
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Reporting › Turn off enhanced notifications
☑
ENABLED
Updated: 2021-02-19
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Reporting
DisableEnhancedNotifications
SZ
1
Updated: 2021-02-19
Disable Microsoft Defender Updates
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Security Intelligence UpdatesAllow real-time security intelligence updates based on reports to Microsoft MAPS
☑
ENABLED
Updated: 2021-02-19
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Updates
named
DELETE
DELETE
Updated: 2021-02-19
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Signature Updates
FallbackOrder
SZ
FileShares
DefinitionUpdateFileSharesSources
DELETE
DELETE
Updated: 2021-02-19
Disable Malicious Software Reporting Tool
This reports file information to Microsoft.
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Send file samples when further analysis is required
☑
Never Send
Updated: 2021-02-19
Registry
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT
DontReportInfectionInformation
DWORD
1
Updated: 2021-02-19
Disable Microsoft Defender Smart Screen
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender SmartScreen › Explorer › Configure Microsoft Defender SmartScreen
☑
DISABLED
Updated: 2021-02-19
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender SmartScreen › Explorer › Configure App Install Control
☑
ENABLED
›
Turn off app recommendations
Updated: 2021-02-19
Registry
Logically inversed from the equivalent GPO.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\SmartScreen
ConfigureAppInstallControlEnabled
DWORD
1
ConfigureAppInstallControl
SZ
Anywhere
Updated: 2021-02-19
Disable Microsoft Defender real-time protection
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Real-time Protection
Turn off real-time protection
ENABLED
Turn on behavior monitoring
DISABLED
Scan all downloaded files and attachments
DISABLED
Monitor file and program activity on your computer
DISABLED
Turn on raw volume write notifications
DISABLED
Turn on process scanning whenever real-time protection is enabled
DISABLED
Define the maximum size of downloaded files and attachments to be scanned
DISABLED
Configure local setting override for turn on behavior monitoring
DISABLED
Configure local setting override for scanning all downloaded files and attachments
DISABLED
Configure local setting override for monitoring file and program activity on your computer
DISABLED
Configure local setting override to turn on real-time protection
DISABLED
Configure local setting override for monitoring for incoming and outgoing file activity
DISABLED
Configure monitoring for incoming and outgoing file and program activity
DISABLED
Updated: 2021-02-19
Disable windows defender notification icon
GPO
Computer Configuration › Administrative Templates › Windows Components › Windows Security › Systray
Hide Windows Security Systray
ENABLED
Updated: 2021-02-19 Reference
Task Manager
⌘ › Task Manager › More Details › Startup
Microsoft Defender notification icon
DISABLED
Updated: 2021-02-19 Reference
Disable Microsoft Defender
As of Windows 1903
this setting only disables Microsoft Defender for
Windows Server. Other settings still apply.
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Turn off Microsoft Defender Antivirus
☑
ENABLED
Updated: 2021-02-19 Reference
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender
DisableAntiSpyware
DWORD
1
Updated: 2021-02-19 Reference
9.1. Firewall
Endpoints for telemetry may change. Peridiocally verify these have not changed. See references for additional documentation.
Warning
These endpoints should be blocked or routed to a blackhole. See Pi-Hole and DNAT for Captive DNS.
Connected User Experiences and Telemetry endpoints
Microsoft Defender Advanced Threat Protection is country specific and the prefix changes by country, e.g.: de.vortex-win.data.microsoft.com
Release |
Diagnostic Endpoint |
Functional Endpoint |
Settings Endpoint |
---|---|---|---|
1703 with 2018-09 cumulative update |
v10c.vortex-win.data.microsoft.com |
v20.vortex-win.data.microsoft.com |
settings-win.data.microsoft.com |
1803 without 2018-09 cumulative update |
v10.events.data.microsoft.com |
v20.vortex-win.data.microsoft.com |
settings-win.data.microsoft.com |
1709 or earlier |
v10.vortex-win.data.microsoft.com |
v20.vortex-win.data.microsoft.com |
settings-win.data.microsoft.com |
Diagnostic data services endpoints
Service |
Endpoint |
---|---|
Microsoft Defender Advanced Threat Protection |
|
› |
References