Buzz
In conjunction with Windows Defender Security Center, the blocking level of Windows Defender Antivirus has been elevated to enhance protection against threats.
Note: The steps to configure Windows Defender in Win 10, 8 to enhance defense capabilities below activate the cloud protection level of Windows Defender Antivirus. This feature is only available on Windows 10 version 1703 (and higher versions) and managed through various interfaces including Group Policy, Registry Editor, System Center Configuration Manager, or Microsoft Intune.
The main benefit of activating the cloud protection level is to detect and block new malware, even without signatures.
A fundamental difference with Microsoft Advanced Protection Service, the previous version of the cloud protection service available for Windows 10 version 1607 and Windows 8.1, is that you can configure the cloud block waiting time, and this feature is also supported on the first version (in 1607 but not on Windows 8.1).
Configuring Windows Defender to Enhance Defense Capabilities
Using Group Policy to Enable Cloud Protection Level for Windows Defender
If you are using Windows 10 (or Creators Update or later) Pro or Enterprise editions, follow the steps below to activate the protection feature:
Step 1: Type gpedit.msc into the Search box on the Start Menu and press Enter to open the Local Group Policy Editor window.
Step 2: In the Local Group Policy Editor window, navigate to the following key on the left pane:
Computer Configuration => Administrative Templates => Windows Components => Windows Defender Antivirus => MAPS
Step 3: Locate and double-click on Join Microsoft MAPS.
Step 4: Set the value from Not Configured to Enabled.
Step 5: Within the Join Microsoft MAPS section, opt for Advanced MAPS.
Basic membership is no longer available as an option, as Microsoft does not support this choice on Windows 10. Choosing basic membership will automatically enroll you in Advanced membership as a substitute.
Basic membership will transmit basic information to Microsoft regarding detected software, including software location, actions applied by you or automatically applied, and the success of those actions.
Advanced membership, in addition to basic information, will convey further details to Microsoft about malware, spyware, and unwanted software, encompassing software location, file names, operational methods of the software, and its impact on your computer.
Note that both will send data to Microsoft.
The MAPS directory includes 3 additional policies you may want to configure:
- Configure the 'Block at First Sight' feature: You can enable or disable the Block at First Sight policy. If you activate this policy, real-time checks are performed with Microsoft Active Protection Service before content is allowed to run or access on the device.
- Configure local setting override for reporting to Microsoft: Allows users to configure local overrides. If you enable this policy, Local preference settings take precedence over Group Policy.
Step 1: Open the Local Group Policy Editor window, navigate to the following key:
Computer Configuration => Administrative Templates => Windows Components => Windows Defender Antivirus => MpEngine
Step 2: Find and double-click on Select cloud protection level.
Step 3: Set the value to Enabled and under Select cloud blocking level, choose the High blocking level option.
Microsoft discusses the differences between 2 blocking levels:
- Setting the Default Windows Defender Antivirus blocking level provides robust detections without increasing the risk of detecting legitimate files.
- Setting the High blocking level applies strong detection. Although not guaranteed, some legitimate files may be detected (though you'll have the option to unblock or dispute those detections).
Use Registry Editor to activate cloud protection level for Windows Defender
Windows 10 Home devices do not support Group Policy Editor. However, users can utilize Windows Registry Editor to make necessary changes.
Step 1: In the Search Start Menu box, type regedit.exe and press Enter.
Step 2: If a UAC window appears, click Yes to open the Windows Registry Editor window.
Step 3: In the Windows Registry Editor window, navigate to the following key in the left pane:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender
Step 4: Find and right-click on Windows Defender, choose New =>Key.
Step 5: Name this new key Spynet.
Step 6: Right-click on Spynet, select New =>DWORD (32-bit) Value.
Step 7: Name this value SpynetReporting.
Step 8: Double-click on SpynetReporting, and set the value in the Value Data box to 2.
Step 9: Return to the path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender.
Step 10: Right-click on Windows Defender, choose New =>Key.
Step 11: Name this key MpEngine.
Step 12: Right-click on the newly created MpEngine key, select New >DWORD (32-bit) Value.
Step 13: Name this value MpCloudBlockLevel.
Step 14: Double-click on MpCloudBlockLevel and set the value in the Value data box to 2.
This action will help you configure Windows Defender to enhance your computer's security by providing detailed reports and higher security.
Additionally, users sometimes disable Windows Defender via Registry on Windows 10, a method that takes some time but ensures complete disabling of Windows Defender. You can refer to how to disable Windows Defender via Registry here on Windows 10.
Opting out of MAPS
You can opt out of MAPS by deleting registry keys or setting policies in Group Policy Editor to Disabled or Not configured.
Conclusion
Configuring Windows Defender to enhance defense capabilities is a good idea. However, some users may opt not to use this option, possibly because: firstly, it allows sending more data to Microsoft (including sample files if configured this way), and secondly, because it may increase the number of false positives.
To use Windows Defender more efficiently, you can add Windows Defender to the right-click menu similar to many other applications. For details, please refer to the article on adding Windows Defender to the right-click menu here.
