Key Points
- Cloud-delivered protection improves threat detection but requires privacy-aligned configuration.
- Defender settings can be enabled or disabled using Windows Security, PowerShell, Group Policy, or Intune.
- PowerShell verification ensures cloud protection, signatures, and connectivity are functioning correctly.
- Privacy controls, tamper protection, and sample submission settings must be managed for compliance.
- Baseline management, rollback planning, and RMM tools like NinjaOne simplify large-scale Defender configuration.
Microsoft Defender Antivirus offers cloud-delivered protection, which uses Microsoft’s cloud intelligence to rapidly mitigate emerging cyber threats. While this can improve your security posture, it also requires organizations to send metadata, which can clash with policies and violate service agreements.
Tailor cloud-based services to your client’s expectations. This guide explains how to enable or disable cloud-delivered protection in Windows 11 and how remote monitoring tools streamlines the process.
Manage cloud-delivered protection for optimized security
Before configuring cloud-delivered protection in Windows 11 (AKA Microsoft Active Protection Service or MAPS), consider your technical constraints and assess your fleet’s health with centralized monitoring tools.
📌 Prerequisites:
- Local administrator privileges on test devices
- Internet egress to Microsoft security endpoints or allowed via proxy
- Awareness of organizational privacy and sample submission policies
- Confirmation on either Intune or GPO-based Defender settings
📌 Recommended deployment strategies:
Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Enable or disable via Windows Security | ✓ | |
| Method 2: Configure with PowerShell | ✓ | |
| Method 3: Group Policy for domain-joined devices | ✓ | ✓ |
| Method 4: Use Intune for fleets | ✓ | |
| Method 5: Verify functionality and connectivity | ✓ | ✓ |
| Method 6: Privacy, tamper protection, and exceptions | ✓ | |
| Method 7: Rollback and standard defaults | ✓ | ✓ |
Method 1: Enable or disable via Windows Security (single device)
IT admins and end-users may easily turn cloud-delivered protection on or off via Windows Security’s GUI. Here’s how:
📌 Use Cases: Support-assisted configurations on a single machine.
📌 Prerequisites: Administrative privileges.
- Click Win + S, type Windows Security, and press Enter.
- Navigate to Virus & threat protection > Virus & threat protection settings > Manage settings.
- Toggle Cloud-delivered protection On or Off.
- Toggle Automatic sample submission On or Off.
- Consult your company policy to verify whether sending metadata to external companies is allowed.
- Optionally, run a Quick scan to confirm Defender is functioning normally.
Method 2: Configure with PowerShell (precise and scriptable)
PowerShell’s command-line features give sysadmins granular control over Defender’s cloud features and sample submission, making scripting ideal for enterprise-wide control.
📌 Use Cases: Automating cloud-delivered protection changes in one or multiple workstations.
📌 Prerequisites: Administrative privileges, Tamper Protection disabled.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- Run the following to check Defender status:
Get-MpComputerStatus | Select AMServiceEnabled, AntispywareEnabled, RealTimeProtectionEnabled, IsTamperProtected, CloudProtection
- Enable or disable cloud-delivered protection.
- To turn on cloud protection and sample submission:
Set-MpPreference -MAPSReporting 0 -SubmitSamplesConsent 1
- To turn off cloud protection and sample submission:
Set-MpPreference -MAPSReporting 0 -SubmitSamplesConsent 2
Method 3: Group Policy for domain-joined devices
Group Policy allows you to configure cloud-delivered protection for devices enrolled in a domain. This ensures consistency and participation across your fleet.
📌 Use Cases: Enforcing or removing cloud-delivered protection within one or multiple domains.
📌 Prerequisites: Administrative privileges, Windows 11 Pro or Enterprise.
- Press Win + R, type gpmc.msc, and press Ctrl + Shift + Enter.
- Create or edit a Group Policy Object (GPO) linked to your target Organizational Unit (OU).
- Navigate to:
Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS.
- Enable Join Microsoft MAPS and select the participation level.
- Configure Send file samples.
- Click Apply, then OK.
- Run gpupdate /force on endpoints to refresh your policies.
- Verify changes with PowerShell (Get-MpComputerStatus).
Method 4: Use Intune for fleets under cloud-delivered protection
Intune’s cloud-based management platform also provides controls for Defender’s security features, including cloud protection and metadata submissions.
📌 Use Cases: Deploying Defender cloud protection changes via Intune.
📌 Prerequisites: Administrative privileges.
- Sign in to Microsoft Intune admin center.
- Go to Endpoint security > Antivirus > Create policy.
- Under Platform, select Windows 10 and later.
- Under Profile, select Microsoft Defender Antivirus.
- Enable or disable Cloud-delivered protection, configure Sample submission, and set Cloud block level.
- Assign policy to pilot groups to check effectiveness and stability.
- Expand changes to production environments.
Method 5: Verify functionality and connectivity
Whether you’re adding or removing cloud-delivered protection, verifying functionality helps prove your intended changes are implemented.
To check, you’ll need to open PowerShell with administrative privileges. Afterwards, run a script that pulls the necessary data, such as cloud protection status, antispyware definitions, and the Network Inspection System (NIS) version:
Get-MpComputerStatus | Select CloudProtectionEnabled, AntispywareSignatureAge, NISSignature
Example output:
- CloudProtectionEnabled : True
- AntispywareSignatureAge : 0
- NISSignature : 1.381.1234.0
These metrics confirm if cloud protection is running, how old Defender’s malware filter is, and other insights related to network exploits—all of which can be tracked and logged with native tools or integrated managers that centralize reporting.
Method 6: Privacy, tamper protection, and exceptions
Malware usually tries to lower protection levels before attacks are launched. Tamper Protection safeguards your configurations even during a breach. That said, it can also prevent unauthorized personnel from modifying MAPS.
After applying your decisions on cloud-delivered protection, check Tamper Protection’s status in Windows Security or Intune to ensure your changes are safe. And if blocked, try managing settings on the Windows Defender portal.
Method 7: Rollback and standard defaults
Preparing rollback strategies and configuration baselines ensures controlled, reversible changes, especially when you manage a large number of endpoints. Here’s how:
- Maintain your pilot testing stage after global deployment: Prepare for new threats and/or comply with new testing standards without starting over.
- Document your baseline: This ensures that your security posture can be updated for audits.
- Monitor security metrics: Check how enabling/disabling cloud protection impacted your security posture.
- Automate rollback: Use scripts or an automation engine for quick reversions if needed.
Best practices for handling cloud-delivered protection
| Practice | Purpose | Value delivered |
| Pilot, then scale | Catches defects early | Minimized disruptions to production environments |
| Manage by policy | Speeds up deployments | Consistent configurations across your fleet |
| Enable sample submission | Promotes a healthier ecosystem | More responsive cloud-based protection |
| Verify with PowerShell | Proves configurations | Compliance and auditability |
| Streamline Defender security connectivity | Accurate security data | Compliance clarity |
How NinjaOne simplifies anti-malware management
NinjaOne’s dashboard gives you a centralized platform for managing PowerShell deployments, task schedules, policies, reporting, and more. Here’s how combining Windows Defender with RMM visibility helps:
| Method | With NinjaOne |
| Enable or disable via Windows Security | Scripts and Remote Access toggles Defender settings without manual work. |
| Configure with PowerShell | Script automation feature deploy PowerShell commands that configure cloud protection services. |
| Group Policy for domain-joined devices | NinjaOne dashboards report policy status, fleet health, and GPO compliance. |
| Use Intune for fleets | Integration adds visibility and real-time alerts on Defender policy enforcement. |
| Verify functionality and connectivity | Automated task scheduler lets IT leaders log results for convenient reporting. |
| Privacy, tamper protection, and exceptions | NinjaOne’s policy view helps track Tamper Protection and manage exceptions. |
| Rollback and standard defaults | Customizable templates and hands-free features help revert Defender settings quickly. |
Configure cloud-delivered protection to fit your security posture
Tailoring cloud-delivered protection for your fleet enables you to choose between Microsoft-powered safety and compliance with data privacy policies. To opt in or out of cloud security features, use native tools like Defender’s GUI, PowerShell, and Group Policy, or integrate lightweight endpoint managers for easier control.
Related topics:
