Specify the cloud protection level
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
Platforms
- Windows
Cloud protection works together with Microsoft Defender Antivirus to deliver protection to your devices faster than through traditional security intelligence updates. You can configure your level of cloud protection by using Microsoft Intune (recommended) or Group Policy.
Use Microsoft Intune to specify the level of cloud protection
Go to the Microsoft Intune admin center (https://intune.microsoft.com) and sign in.
Choose Endpoint security > Antivirus.
Select an antivirus profile. If you don't have one yet, or if you want to create a new profile, see Configure device restriction settings in Microsoft Intune.
Select Properties. Then, next to Configuration settings, choose Edit.
Expand Cloud protection, and then in the Cloud-delivered protection level list, select one of the following:
- Not configured: Default state.
- High: Applies a strong level of detection.
- High plus: Uses the High level and applies extra protection measures (might affect client performance).
- Zero tolerance: Blocks all unknown executables.
Choose Review + save, and then choose Save.
Tip
Need some help? See the following resources:
Use Group Policy to specify the level of cloud protection
On your Group Policy management machine, open the Group Policy Management Console.
Right-click the Group Policy Object you want to configure, and then select Edit.
In the Group Policy Management Editor, go to Computer Configuration > Administrative templates.
Expand the tree to Windows Components > Microsoft Defender Antivirus > MpEngine.
Double-click the Select cloud protection level setting, and set it to Enabled.
Under Select cloud blocking level, set the level of protection:
- Default blocking level provides strong detection without increasing the risk of detecting legitimate files.
- Moderate blocking level provides moderate only for high confidence detections
- High blocking level applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
- High + blocking level applies extra protection measures (might affect client performance and increase your chance of false positives).
- Zero tolerance blocking level blocks all unknown executables.
Caution
If you're using Resultant Set of Policy with Group Policy (RSOP), and Default blocking level is selected, it can produce misleading results, as a setting with a
0
value is read as disabled by RSOP. You can instead confirm the registry key is present inComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine
or use GPresult.Select OK.
Deploy your updated Group Policy Object. See Group Policy Management Console
Tip
Are you using Group Policy Objects on premises? See how they translate in the cloud. Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Intune.
See also
- Onboard non-Windows devices to Defender for Endpoint
- Turn on cloud protection in Microsoft Defender Antivirus
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.