Specify the cloud protection level
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
Cloud protection works together with Microsoft Defender Antivirus to deliver protection to your endpoints much faster than through traditional security intelligence updates. You can configure your level of cloud protection by using Microsoft Intune (recommended) or Group Policy.
Selecting High, High +, or Zero tolerance could cause some legitimate files to be detected. If that happens, you can unblock the detected file or dispute that detection in the Microsoft 365 Defender portal.
Use Microsoft Intune to specify the level of cloud protection
Go to the Microsoft Intune admin center (https://endpoint.microsoft.com) and sign in.
Choose Endpoint security > Antivirus.
Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see Configure device restriction settings in Microsoft Intune.
Select Properties. Then, next to Configuration settings, choose Edit.
Expand Cloud protection, and then in the Cloud-delivered protection level list, select one of the following:
- Not configured: Default state.
- High: Applies a strong level of detection.
- High plus: Uses the High level and applies extra protection measures (might affect client performance).
- Zero tolerance: Blocks all unknown executables.
Choose Review + save, and then choose Save.
Need some help? See the following resources:
Use Group Policy to specify the level of cloud protection
On your Group Policy management machine, open the Group Policy Management Console.
Right-click the Group Policy Object you want to configure, and then select Edit.
In the Group Policy Management Editor go to Computer Configuration > Administrative templates.
Expand the tree to Windows Components > Microsoft Defender Antivirus > MpEngine.
Double-click the Select cloud protection level setting and set it to Enabled. Select the level of protection:
- Not configured: Default state.
- Default blocking level provides strong detection without increasing the risk of detecting legitimate files.
- Moderate blocking level provides moderate only for high confidence detections
- High blocking level applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
- High + blocking level applies extra protection measures (might affect client performance and increase your chance of false positives).
- Zero tolerance blocking level blocks all unknown executables.
Deploy your updated Group Policy Object. See Group Policy Management Console
Are you using Group Policy Objects on premises? See how they translate in the cloud. Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Intune.
If you're looking for Antivirus related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Why cloud protection should be enabled for Microsoft Defender Antivirus
Submit and view feedback for