This tutorial will show you how to enable or disable automatic sample submission for Microsoft Defender Antivirus in Windows 11.
Microsoft Defender Antivirus is an antivirus software that is included in Windows 11 and can help protect your device from viruses, malware, and other threats.
Cloud-delivered protection and automatic sample submission work together with Microsoft Defender Antivirus to help protect against new and emerging threats.
If a suspicious or malicious file is detected, a sample is sent to the cloud service for analysis while Microsoft Defender Antivirus blocks the file. As soon as a determination is made, which happens quickly, the file is either released or blocked by Microsoft Defender Antivirus.
In the event Microsoft Defender Antivirus cannot make a clear determination, file metadata is sent to the cloud protection service. Often within milliseconds, the cloud protection service can determine based on the metadata as to whether the file is malicious or not a threat.
After examining the metadata, if Microsoft Defender Antivirus cloud protection cannot reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:
- Send safe samples automatically (default)
- Safe samples are samples considered to not commonly contain PII data like: .bat, .scr, .dll, .exe.
- If file is likely to contain PII, the user will get a request to allow file sample submission.
- This option is the default on Windows, macOS, and Linux.
- Always Prompt
- If configured, the user will always be prompted for consent before file submission
- This setting isn't available in macOS cloud protection
- Send all samples automatically
- If configured, all samples will be sent automatically
- If you would like sample submission to include macros embedded in Word docs, you must choose "Send all samples automatically"
- This setting isn't available on macOS cloud protection
- Do not send
- Prevents "block at first sight" based on file sample analysis
- "Do not send" is the equivalent to the "Disabled" setting in macOS policy
- Metadata is sent for detections even when sample submission is disabled
You must be signed in as an administrator to turn on/off or enable/disable automatic sample submission for Microsoft Defender Antivirus.
- Option One: Turn On or Off Automatic Sample Submission for Microsoft Defender Antivirus in Windows Security
- Option Two: Turn On or Off Automatic Sample Submission for Microsoft Defender Antivirus using Command
- Option Three: Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus in Local Group Policy Editor
- Option Four: Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus using REG file
Turn On or Off Automatic Sample Submission for Microsoft Defender Antivirus in Windows Security
1 Open Windows Security.
2 Click/tap on Virus & threat protection. (see screenshot below)
3 Click/tap on the Manage settings link under Virus & threat protection settings. (see screenshot below)
4 Turn On (default) or Off Automatic sample submission for what you want. (see screenshots below)
5 If prompted by UAC, click/tap on Yes to approve.
6 You can now close Windows Security if you like.
Turn On or Off Automatic Sample Submission for Microsoft Defender Antivirus using Command
Set-MpPreference (Defender)
1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.
2 Copy and paste the command below you want to use into Windows Terminal (Admin), and press Enter.
PowerShell Set-MpPreference -SubmitSamplesConsent AlwaysPrompt
PowerShell Set-MpPreference -SubmitSamplesConsent SendSafeSamples
PowerShell Set-MpPreference -SubmitSamplesConsent NeverSend
PowerShell Set-MpPreference -SubmitSamplesConsent SendAllSamples
3 You can now close Windows Terminal (Admin) if you like.
Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus in Local Group Policy Editor
The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.
All editions can use Option Four for the same policy.
1 Open the Local Group Policy Editor (gpedit.msc).
2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)
3 In the right pane of MAPS in the Local Group Policy Editor, double click/tap on the Send file samples when further analysis is required policy to edit it. (see screenshot above)
4 Do step 5 (enable - Always prompt), step 6 (enable - Send safe samples automatically), step 7 (enable - Send all samples automatically), step 8 (disable - Never send), or step 9 (default) below for what you would like to do.
This will disable and prevent using Option One and Option Two.
This will disable and prevent using Option One and Option Two.
This will disable and prevent using Option One and Option Two.
This will disable and prevent using Option One and Option Two.
This is the default setting to allow using Option One and Option Two.
10 You can now close the Local Group Policy Editor if you like.
Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus using REG file
1 Do step 2 (enable - Always prompt), step 3 (enable - Send safe samples automatically), step 4 (enable - Send all samples automatically), step 5 (disable - Never send), or step 6 (default) below for what you would like to do.
This will disable and prevent using Option One and Option Two.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=dword:00000000
This will disable and prevent using Option One and Option Two.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=dword:00000001
This will disable and prevent using Option One and Option Two.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=dword:00000003
This will disable and prevent using Option One and Option Two.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=dword:00000002
This is the default setting to allow using Option One and Option Two.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=-
7 Save the .reg file to your desktop.
8 Double click/tap on the downloaded .reg file to merge it.
9 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
10 You can now delete the downloaded .reg file if you like.
That's it,
Shawn Brink
Attachments
-
Always_prompt_automatic_sample_submission.reg722 bytes · Views: 352
-
Default_enable_automatic_sample_submission.reg696 bytes · Views: 253
-
Never_send_(disable)_automatic_sample_submission.reg722 bytes · Views: 317
-
Send_all_samples_automatic_sample_submission.reg722 bytes · Views: 197
-
Send_safe_samples_automatic_sample_submission.reg722 bytes · Views: 214