1.1. Virus & threat protection settings
Danger
As of 20H2 Microsoft Defender can no longer be disabled unless
antivirus is installed. Tamper Protection can no longer be disabled.
After every major windows update, verify these settings.
Windows Defender renamed to Microsoft Defender in 20H2. See Microsoft Defender for non-GUI Microsoft Defender settings. Telemetry for telemetry services.
1.1.1. Real-time protection
Disable Real-Time protection
Warning
Only disable if you know what you are doing.
Disable Real-Time protection
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Real-time Protection
Turn off real-time protection
ENABLED
Turn on behavior monitoring
DISABLED
Scan all downloaded files and attachments
DISABLED
Monitor file and program activity on your computer
DISABLED
Turn on raw volume write notifications
DISABLED
Turn on process scanning whenever real-time protection is enabled
DISABLED
Define the maximum size of downloaded files and attachments to be scanned
DISABLED
Configure local setting override for turn on behavior monitoring
DISABLED
Configure local setting override for scanning all downloaded files and attachments
DISABLED
Configure local setting override for monitoring file and program activity on your computer
DISABLED
Configure local setting override to turn on real-time protection
DISABLED
Configure local setting override for monitoring for incoming and outgoing file activity
DISABLED
Configure monitoring for incoming and outgoing file and program activity
DISABLED
Updated: 2021-02-19
1.1.2. Cloud-delivered protection
Disable Cloud-delivered protection
Previous versions labeled this as ‘Microsoft Antimalware Protection Service’ (MAPS). Uploads files and file hashes to Microsoft for any suspect file.
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Join Microsoft MAPS
☑
ENABLED
Join Microsoft MAPS
DISABLED
Updated: 2021-02-19 Reference
1.1.3. Automatic sample submission
Disable Automatic sample submission
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › MAPS › Send sample files when further analysis is required
☑
ENABLED
Send sample files when further analysis is required
Never
Updated: 2021-02-19 Reference
1.1.4. Exclusions
Add hosts file exclusion
20H2+ always notifies on host file changes, even if they are valid DNS
blackholes for telemetry. Do not add this exclusion if you are not managing
the host file yourself.
GPO
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Exclusions › Path Exclusions
☑
ENABLED
Path Exclusions
› Value Name
C:\Windows\System32\drivers\etc\hosts
› Value
0
Updated: 2021-02-19 Reference
1.1.5. Notifications
1.1.5.1. Virus & threat protection notifications
Turn off enhanced notifications
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Reporting › Turn off enhanced notifications
☑
ENABLED
Updated: 2022-01-20 Reference
Hide notifications
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Client interface › Suppress all notifications
☑
ENABLED
Updated: 2022-01-20 Reference
Hide reboot notifications
Computer Configuration › Administrative Templates › Windows Components › Microsoft Defender Antivirus › Client interface › Suppresses reboot notifications
☑
ENABLED
Updated: 2022-01-20 Reference
Disable Get informational notifications
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
DisableEnhancedNotifications
DWORD
1
Updated: 2021-02-19
Disable Recent activity and scan results
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection
SummaryNotificationDisabled
DWORD
1
Updated: 2021-02-19
Disable Threats found but no immediate action is needed
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection
NoActionNotificationDisabled
DWORD
1
Updated: 2021-02-19
Disable Files or activities are blocked
Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection
FilesBlockedNotificationDisabled
DWORD
1
Updated: 2021-02-19
1.1.5.2. Get account protection notifications
Disable Get account protection notifications
Registry
HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection
DisableNotifications
DWORD
1
Updated: 2021-02-19 Reference
Disable Problems with Windows Hello
Registry
HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection
DisableWindowsHelloNotifications
DWORD
1
Updated: 2021-02-19 Reference
Disable Problems with Dynamic lock
Registry
HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection
DisableDynamiclockNotifications
DWORD
1
Updated: 2021-02-19 Reference
1.1.6. Firewall
Endpoints for telemetry may change. Peridiocally verify these have not changed. See references for additional documentation.
Warning
These endpoints should be blocked or routed to a blackhole. See Pi-Hole and DNAT for Captive DNS.
Connected User Experiences and Telemetry endpoints
Microsoft Defender Advanced Threat Protection is country specific and the prefix changes by country, e.g.: de.vortex-win.data.microsoft.com
Release |
Diagnostic Endpoint |
Functional Endpoint |
Settings Endpoint |
|---|---|---|---|
1703 with 2018-09 cumulative update |
v10c.vortex-win.data.microsoft.com |
v20.vortex-win.data.microsoft.com |
settings-win.data.microsoft.com |
1803 without 2018-09 cumulative update |
v10.events.data.microsoft.com |
v20.vortex-win.data.microsoft.com |
settings-win.data.microsoft.com |
1709 or earlier |
v10.vortex-win.data.microsoft.com |
v20.vortex-win.data.microsoft.com |
settings-win.data.microsoft.com |
Diagnostic data services endpoints
Service |
Endpoint |
|---|---|
Microsoft Defender Advanced Threat Protection |
|
› |
References