Configure the cloud block timeout period

Applies to:

Platforms

  • Windows
  • Windows Server

When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the Microsoft Defender Antivirus cloud service.

The default period that the file is blocked is 10 seconds. If you're a security administrator, you can specify more time to wait before the file is allowed to run. Extending the cloud block timeout period can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.

Prerequisites to use the extended cloud block timeout

Block at first sight and its prerequisites must be enabled before you can specify an extended timeout period.

Specify the extended timeout period using Microsoft Defender for Endpoint Security settings management

To specify the cloud block timeout period with Microsoft Defender for Endpoint Security settings management:

  1. Go to the Microsoft Defender for Endpoint portal (https://security.microsoft.com) and sign in.
  2. Select Endpoints > Configuration management > Endpoint security policies.
  3. Select Create new Policy.
  4. Under Select Platform choose: "Windows 10, Windows 11, and Windows Server".
  5. Under Select Template choose: "Microsoft Defender Antivirus".
  6. Select Create policy.
  7. Enter a name and description and select Next.
  8. From the Defender dropdown go to Cloud Extended Timeout and toggle it on.
  9. Specify the extended time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds.
  10. Select Next and Save to finish configuring your policy.

Specify the extended timeout period using Microsoft Intune

You can specify the cloud block timeout period with an endpoint security policy in Microsoft Intune.

  1. Go to the Intune admin center (https://intune.microsoft.com/) and sign in.

  2. Select Endpoint security, and then under Manage, choose Antivirus.

  3. Select (or create) an antivirus policy.

  4. In the Configuration settings section, expand Cloud protection. Then, in the Microsoft Defender Antivirus Extended Timeout In Seconds box, specify the more time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds.

  5. (This step is optional) Make any other changes to your antivirus policy. (Need help? See Settings for Microsoft Defender Antivirus policy in Microsoft Intune.)

  6. Choose Next, and finish configuring your policy.

Specify the extended timeout period using Group Policy

You can use Group Policy to specify an extended timeout for cloud checks.

  1. On your Group Policy management computer, open the Group Policy Management Console

  2. Right-click the Group Policy Object you want to configure and then select Edit.

  3. In the Group Policy Management Editor, go to Computer configuration, and then select Administrative templates.

  4. Expand the tree to Windows components > Microsoft Defender Antivirus > MpEngine.

  5. Double-click Configure extended cloud check and ensure the option is enabled.

    Specify the extra amount of time to prevent the file from running while waiting for a cloud determination. Specify the extra time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds.

  6. Select OK.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.