9. Microsoft Defender

Don’t turn this off unless you know what you are doing. You should first disable all of the options for windows defender before disabling the service, as cloud-based protection will cause 100% disk usage (in settings).

See Virus & threat protection settings for Windows Defender GUI settings. ref:w10-20h2-standalone-telemetry for telemetry services.

Danger

As of 20H2 Microsoft Defender can no longer be disabled; it will only disable on detection of other certified antivirus software. Disable all live scanning services instead.

After every major windows update, verify these settings.

Reference Reference

Disable tamper protection

Note

Tamper Protection can no longer be disabled (registry settings not honored). It must be disabled manually before changing Windows Defender settings.

GUI

⌘ + r › windowsdefender://settings › Virus & threat protection settings › Manage Settings

Tamper Protection

☐

Updated: 2021-02-19 Reference

Registry

There is no GPO for this. 5 enables protection.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Defender\Features

TamperProtection

DWORD

4

TamperProtectionSource

DWORD

2

Updated: 2021-02-19 Reference

PS Exec

powershell (as admin)

PsExec64.exe -accepteula -d -i -s powershell -ExecutionPolicy Bypass Set-Itemproperty -path 'HKLM:SOFTWARE\Microsoft\Microsoft Defender\Features' -Name 'TamperProtection' -value 4
PsExec64.exe -accepteula -d -i -s powershell -ExecutionPolicy Bypass Set-Itemproperty -path 'HKLM:SOFTWARE\Microsoft\Microsoft Defender\Features' -Name 'TamperProtectionSource' -value 2

Sysinternals PSTools need to be installed disable via powershell.

Reference

Disable Microsoft Defender notifications

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Client Interface › Suppress all notifications

☑

ENABLED

Updated: 2021-02-19 Reference

Disable Microsoft Defender Enhanced Notifications

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Reporting › Turn off enhanced notifications

☑

ENABLED

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Reporting

DisableEnhancedNotifications

SZ

1

Updated: 2021-02-19

Disable Microsoft Defender Updates

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Security Intelligence UpdatesAllow real-time security intelligence updates based on reports to Microsoft MAPS

☑

ENABLED

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Updates

named

DELETE

DELETE

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\Signature Updates

FallbackOrder

SZ

FileShares

DefinitionUpdateFileSharesSources

DELETE

DELETE

Updated: 2021-02-19

Disable Malicious Software Reporting Tool

This reports file information to Microsoft.

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Send file samples when further analysis is required

☑

Never Send

Updated: 2021-02-19

Registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT

DontReportInfectionInformation

DWORD

1

Updated: 2021-02-19

Disable Microsoft Defender Smart Screen

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender SmartScreen › Explorer › Configure Microsoft Defender SmartScreen

☑

DISABLED

Updated: 2021-02-19

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender SmartScreen › Explorer › Configure App Install Control

☑

ENABLED

›

Turn off app recommendations

Updated: 2021-02-19

Registry

Logically inversed from the equivalent GPO.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender\SmartScreen

ConfigureAppInstallControlEnabled

DWORD

1

ConfigureAppInstallControl

SZ

Anywhere

Updated: 2021-02-19

Disable Microsoft Defender real-time protection

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Real-time Protection

Turn off real-time protection

ENABLED

Turn on behavior monitoring

DISABLED

Scan all downloaded files and attachments

DISABLED

Monitor file and program activity on your computer

DISABLED

Turn on raw volume write notifications

DISABLED

Turn on process scanning whenever real-time protection is enabled

DISABLED

Define the maximum size of downloaded files and attachments to be scanned

DISABLED

Configure local setting override for turn on behavior monitoring

DISABLED

Configure local setting override for scanning all downloaded files and attachments

DISABLED

Configure local setting override for monitoring file and program activity on your computer

DISABLED

Configure local setting override to turn on real-time protection

DISABLED

Configure local setting override for monitoring for incoming and outgoing file activity

DISABLED

Configure monitoring for incoming and outgoing file and program activity

DISABLED

Updated: 2021-02-19

Disable windows defender notification icon

GPO

Computer Configuration › Administrative Templates › Windows Components › Windows Security › Systray

Hide Windows Security Systray

ENABLED

Updated: 2021-02-19 Reference

Task Manager

⌘ › Task Manager › More Details › Startup

Microsoft Defender notification icon

DISABLED

Updated: 2021-02-19 Reference

Disable Microsoft Defender

As of Windows 1903 this setting only disables Microsoft Defender for Windows Server. Other settings still apply.

GPO

Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Turn off Microsoft Defender Antivirus

☑

ENABLED

Updated: 2021-02-19 Reference

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender

DisableAntiSpyware

DWORD

1

Updated: 2021-02-19 Reference

9.1. Firewall

Endpoints for telemetry may change. Peridiocally verify these have not changed. See references for additional documentation.

Warning

These endpoints should be blocked or routed to a blackhole. See Pi-Hole and DNAT for Captive DNS.

Connected User Experiences and Telemetry endpoints

Microsoft Defender Advanced Threat Protection is country specific and the prefix changes by country, e.g.: de.vortex-win.data.microsoft.com

Release	Diagnostic Endpoint	Functional Endpoint	Settings Endpoint
1703 with 2018-09 cumulative update	v10c.vortex-win.data.microsoft.com	v20.vortex-win.data.microsoft.com	settings-win.data.microsoft.com
1803 without 2018-09 cumulative update	v10.events.data.microsoft.com	v20.vortex-win.data.microsoft.com	settings-win.data.microsoft.com
1709 or earlier	v10.vortex-win.data.microsoft.com	v20.vortex-win.data.microsoft.com	settings-win.data.microsoft.com

Diagnostic data services endpoints

Service	Endpoint
Microsoft Defender Advanced Threat Protection	https://wdcp.microsoft.com
›	https://wdcpalt.microsoft.com

References

1. Configure Windows Diagnostic Data

2. Manage connections from Windows 10 to Microsoft Services

3. Remove Microsoft Defender Telemetry