Turn on cloud protection in Microsoft Defender Antivirus

Applies to:

• Microsoft Defender Antivirus
• Microsoft Defender for Endpoint Plan 2

Platforms

• Windows

Cloud protection in Microsoft Defender Antivirus delivers accurate, real-time, and intelligent protection. Cloud protection should be enabled by default; however, you can configure cloud protection to suit your organization's needs.

Methods to configure cloud protection

You can turn Microsoft Defender Antivirus cloud protection on or off by using one of several methods:

• Microsoft Endpoint Manager, which includes Microsoft Intune and Configuration Manager
• Group Policy
• PowerShell cmdlets

You can also turn cloud protection on or off on individual endpoints using the Windows Security app.

For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud protection service, see Configure and validate network connections.

Note

In Windows 10 and Windows 11, there is no difference between the Basic and Advanced reporting options described in this article. This is a legacy distinction and choosing either setting will result in the same level of cloud protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the Microsoft Privacy Statement.

Use Intune to turn on cloud protection

1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in.

2. On the Home pane, select Device configuration > Profiles.

3. Select the Device restrictions profile type you want to configure. If you need to create a new Device restrictions profile type, see Configure device restriction settings in Microsoft Intune.

4. Select Properties > Configuration settings: Edit > Microsoft Defender Antivirus.

5. On the Cloud-delivered protection switch, select Enable.

6. In the Prompt users before sample submission dropdown, select Send all data automatically.

For more information about Intune device profiles, including how to create and configure their settings, see What are Microsoft Intune device profiles?

Use Microsoft Endpoint Manager to turn on cloud protection

1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in.

2. Choose Endpoint security > Antivirus.

3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see Configure device restriction settings in Microsoft Intune.

4. Select Properties. Then, next to Configuration settings, choose Edit.

5. Expand Cloud protection, and then in the Cloud-delivered protection level list, select one of the following:

   • High: Applies a strong level of detection.
   • High plus: Uses the High level and applies more protection measures (may affect client performance).
   • Zero tolerance: Blocks all unknown executables.

6. Select Review + save, then choose Save.

For more information about configuring Microsoft Endpoint Configuration Manager, see How to create and deploy antimalware policies: Cloud-protection service.

Use Group Policy to turn on cloud protection

1. On your Group Policy management device, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.

2. In the Group Policy Management Editor, go to Computer configuration.

3. Select Administrative templates.

4. Expand the tree to Windows components > Microsoft Defender Antivirus > MAPS

   Note

   MAPS settings are equal to cloud-delivered protection.

5. Double-click Join Microsoft MAPS. Ensure the option is turned on and set to Basic MAPS or Advanced MAPS. Select OK.

   You can choose to send basic or additional information about detected software:

   • Basic MAPS: Basic membership will send basic information to Microsoft about malware and potentially unwanted software that has been detected on your device. Information includes where the software came from (like URLs and partial paths), the actions taken to resolve the threat, and whether the actions were successful.

   • Advanced MAPS: In addition to basic information, advanced membership will send detailed information about malware and potentially unwanted software, including the full path to the software, and detailed information about how the software has affected your device.

6. Double-click Send file samples when further analysis is required. Ensure that the first option is set to Enabled and that the other options are set to either:

   • Send safe samples (1)
   • Send all samples (3)

   Note

   The Send safe samples (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. Setting the option to Always Prompt (0) will lower the protection state of the device. Setting it to Never send (2) means that the Block at First Sight feature of Microsoft Defender for Endpoint won't work.

7. Select OK.

Use PowerShell cmdlets to turn on cloud protection

The following cmdlets can turn on cloud protection:

Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples

For more information on how to use PowerShell with Microsoft Defender Antivirus, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Microsoft Defender Antivirus cmdlets. Policy CSP - Defender also has more information specifically on -SubmitSamplesConsent.

Important

You can set -SubmitSamplesConsent to SendSafeSamples (the default, recommended setting), NeverSend, or AlwaysPrompt. The SendSafeSamples setting means that most samples will be sent automatically. Files that are likely to contain personal information will result in a prompt to continue and will require confirmation. The NeverSend and AlwaysPrompt settings lower the protection level of the device. Furthermore, the NeverSend setting means that the Block at First Sight feature of Microsoft Defender for Endpoint won't work.

Use Windows Management Instruction (WMI) to turn on cloud protection

Use the Set method of the MSFT_MpPreference class for the following properties:

MAPSReporting
SubmitSamplesConsent

For more information about allowed parameters, see Windows Defender WMIv2 APIs

Turn on cloud protection on individual clients with the Windows Security app

Note

If the Configure local setting override for reporting Microsoft MAPS Group Policy setting is set to Disabled, then the Cloud-based protection setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.

1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for Windows Security.

2. Select the Virus & threat protection tile (or the shield icon on the left menu bar), and then, under Manage settings select Virus & threat protection settings.

   

3. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.

   Note

   If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.

Tip

If you're looking for Antivirus related information for other platforms, see:

• Set preferences for Microsoft Defender for Endpoint on macOS
• Microsoft Defender for Endpoint on Mac
• macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
• Set preferences for Microsoft Defender for Endpoint on Linux
• Microsoft Defender for Endpoint on Linux
• Configure Defender for Endpoint on Android features
• Configure Microsoft Defender for Endpoint on iOS features

See also

• Use Microsoft cloud protection in Microsoft Defender Antivirus

• How to create and deploy antimalware policies: Cloud-protection service

• Use PowerShell cmdlets to manage Microsoft Defender Antivirus