Specify the cloud protection level

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender Antivirus

Platforms

• Windows

Cloud protection works together with Microsoft Defender Antivirus to deliver protection to your endpoints much faster than through traditional security intelligence updates. You can configure your level of cloud protection by using Microsoft Intune (recommended) or Group Policy.

Note

Selecting High, High +, or Zero tolerance could cause some legitimate files to be detected. If that happens, you can unblock the detected file or dispute that detection in the Microsoft 365 Defender portal.

Use Microsoft Intune to specify the level of cloud protection

1. Go to the Microsoft Intune admin center (https://endpoint.microsoft.com) and sign in.

2. Choose Endpoint security > Antivirus.

3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see Configure device restriction settings in Microsoft Intune.

4. Select Properties. Then, next to Configuration settings, choose Edit.

5. Expand Cloud protection, and then in the Cloud-delivered protection level list, select one of the following:

   • Not configured: Default state.
   • High: Applies a strong level of detection.
   • High plus: Uses the High level and applies extra protection measures (might affect client performance).
   • Zero tolerance: Blocks all unknown executables.

6. Choose Review + save, and then choose Save.

Tip

Need some help? See the following resources:

• Configure Endpoint Protection
• Add endpoint protection settings in Intune

Use Group Policy to specify the level of cloud protection

1. On your Group Policy management machine, open the Group Policy Management Console.

2. Right-click the Group Policy Object you want to configure, and then select Edit.

3. In the Group Policy Management Editor go to Computer Configuration > Administrative templates.

4. Expand the tree to Windows Components > Microsoft Defender Antivirus > MpEngine.

5. Double-click the Select cloud protection level setting and set it to Enabled. Select the level of protection:

   • Not configured: Default state.
   • Default blocking level provides strong detection without increasing the risk of detecting legitimate files.
   • Moderate blocking level provides moderate only for high confidence detections
   • High blocking level applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
   • High + blocking level applies extra protection measures (might affect client performance and increase your chance of false positives).
   • Zero tolerance blocking level blocks all unknown executables.

6. Select OK.

7. Deploy your updated Group Policy Object. See Group Policy Management Console

Tip

Are you using Group Policy Objects on premises? See how they translate in the cloud. Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Intune.

Tip

If you're looking for Antivirus related information for other platforms, see:

• Set preferences for Microsoft Defender for Endpoint on macOS
• Microsoft Defender for Endpoint on Mac
• macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
• Set preferences for Microsoft Defender for Endpoint on Linux
• Microsoft Defender for Endpoint on Linux
• Configure Defender for Endpoint on Android features
• Configure Microsoft Defender for Endpoint on iOS features

See also

Why cloud protection should be enabled for Microsoft Defender Antivirus