Privacy and Security Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus in Windows 11


  • Staff
Windows_Security_banner.png

This tutorial will show you how to enable or disable automatic sample submission for Microsoft Defender Antivirus in Windows 11.

Microsoft Defender Antivirus is an antivirus software that is included in Windows 11 and can help protect your device from viruses, malware, and other threats.

Cloud-delivered protection and automatic sample submission work together with Microsoft Defender Antivirus to help protect against new and emerging threats.

If a suspicious or malicious file is detected, a sample is sent to the cloud service for analysis while Microsoft Defender Antivirus blocks the file. As soon as a determination is made, which happens quickly, the file is either released or blocked by Microsoft Defender Antivirus.

In the event Microsoft Defender Antivirus cannot make a clear determination, file metadata is sent to the cloud protection service. Often within milliseconds, the cloud protection service can determine based on the metadata as to whether the file is malicious or not a threat.

After examining the metadata, if Microsoft Defender Antivirus cloud protection cannot reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:
  • Send safe samples automatically (default)
    • Safe samples are samples considered to not commonly contain PII data like: .bat, .scr, .dll, .exe.
    • If file is likely to contain PII, the user will get a request to allow file sample submission.
    • This option is the default on Windows, macOS, and Linux.
  • Always Prompt
    • If configured, the user will always be prompted for consent before file submission
    • This setting isn't available in macOS cloud protection
  • Send all samples automatically
    • If configured, all samples will be sent automatically
    • If you would like sample submission to include macros embedded in Word docs, you must choose "Send all samples automatically"
    • This setting isn't available on macOS cloud protection
  • Do not send
    • Prevents "block at first sight" based on file sample analysis
    • "Do not send" is the equivalent to the "Disabled" setting in macOS policy
    • Metadata is sent for detections even when sample submission is disabled

You must be signed in as an administrator to turn on/off or enable/disable automatic sample submission for Microsoft Defender Antivirus.



Contents

  • Option One: Turn On or Off Automatic Sample Submission for Microsoft Defender Antivirus in Windows Security
  • Option Two: Turn On or Off Automatic Sample Submission for Microsoft Defender Antivirus using Command
  • Option Three: Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus in Local Group Policy Editor
  • Option Four: Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus using REG file





OPTION ONE

Turn On or Off Automatic Sample Submission for Microsoft Defender Antivirus in Windows Security


1 Open Windows Security.

2 Click/tap on Virus & threat protection. (see screenshot below)

Microsoft_Defender_automatic_sample_submission-1.png

3 Click/tap on the Manage settings link under Virus & threat protection settings. (see screenshot below)

Microsoft_Defender_automatic_sample_submission-2.png

4 Turn On (default) or Off Automatic sample submission for what you want. (see screenshots below)

Microsoft_Defender_automatic_sample_submission-3.png
Microsoft_Defender_automatic_sample_submission-4.png

5 If prompted by UAC, click/tap on Yes to approve.

6 You can now close Windows Security if you like.





OPTION TWO

Turn On or Off Automatic Sample Submission for Microsoft Defender Antivirus using Command



1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Copy and paste the command below you want to use into Windows Terminal (Admin), and press Enter.

(Always prompt - Automatic sample submission - ON)
PowerShell Set-MpPreference -SubmitSamplesConsent AlwaysPrompt

OR​

(Default - Send safe samples automatically - Automatic sample submission - ON)
PowerShell Set-MpPreference -SubmitSamplesConsent SendSafeSamples

OR​

(Never send - Automatic sample submission - OFF)
PowerShell Set-MpPreference -SubmitSamplesConsent NeverSend

OR​

(Send all samples automatically - Automatic sample submission - ON)
PowerShell Set-MpPreference -SubmitSamplesConsent SendAllSamples

3 You can now close Windows Terminal (Admin) if you like.





OPTION THREE

Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Four for the same policy.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration>Administrative Templates>Windows Components>Microsoft Defender Antivirus>MAPS

Microsoft_Defender_automatic_sample_submission_gpedit-1.png

3 In the right pane of MAPS in the Local Group Policy Editor, double click/tap on the Send file samples when further analysis is required policy to edit it. (see screenshot above)

4 Do step 5 (enable - Always prompt), step 6 (enable - Send safe samples automatically), step 7 (enable - Send all samples automatically), step 8 (disable - Never send), or step 9 (default) below for what you would like to do.

5 Force Automatic sample submission to "Always prompt"

This will disable and prevent using Option One and Option Two.


A) Select (dot) Enabled. (see screenshot below step 8)​

B) Select Always prompt in the Send file samples when further analysis is required drop menu under Options.​

C) Click/tap on OK, and go to step 10 below.​

6 Force Automatic sample submission to "Send safe samples automatically"

This will disable and prevent using Option One and Option Two.


A) Select (dot) Enabled. (see screenshot below step 8)​

B) Select Send safe samples automatically in the Send file samples when further analysis is required drop menu under Options.​

C) Click/tap on OK, and go to step 10 below.​

7 Force Automatic sample submission to "Send all samples automatically"

This will disable and prevent using Option One and Option Two.


A) Select (dot) Enabled. (see screenshot below step 8)​

B) Select Send all samples automatically in the Send file samples when further analysis is required drop menu under Options.​

C) Click/tap on OK, and go to step 10 below.​

8 Disable and Force Automatic sample submission to "Never send"

This will disable and prevent using Option One and Option Two.


A) Select (dot) Enabled. (see screenshot below step 8)​

B) Select Never send in the Send file samples when further analysis is required drop menu under Options.​

C) Click/tap on OK, and go to step 10 below.​

Microsoft_Defender_automatic_sample_submission_gpedit-3.png

9 Default - Automatic sample submission

This is the default setting to allow using Option One and Option Two.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 10 below.​

Microsoft_Defender_automatic_sample_submission_gpedit-2.png

10 You can now close the Local Group Policy Editor if you like.





OPTION FOUR

Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus using REG file


1 Do step 2 (enable - Always prompt), step 3 (enable - Send safe samples automatically), step 4 (enable - Send all samples automatically), step 5 (disable - Never send), or step 6 (default) below for what you would like to do.


 2. Force Automatic sample submission to "Always prompt"

This will disable and prevent using Option One and Option Two.


A) Click/tap on the Download button below to download the file below, and go to step 7 below.​

Always_prompt_automatic_sample_submission.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=dword:00000000


 3. Force Automatic sample submission to "Send safe samples automatically"

This will disable and prevent using Option One and Option Two.


A) Click/tap on the Download button below to download the file below, and go to step 7 below.​

Send_safe_samples_automatic_sample_submission.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=dword:00000001


 4. Force Automatic sample submission to "Send all samples automatically"

This will disable and prevent using Option One and Option Two.


A) Click/tap on the Download button below to download the file below, and go to step 7 below.​

Send_all_samples_automatic_sample_submission.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=dword:00000003


 5. Disable and Force Automatic sample submission to "Never send"

This will disable and prevent using Option One and Option Two.


A) Click/tap on the Download button below to download the file below, and go to step 7 below.​

Never_send_(disable)_automatic_sample_submission.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=dword:00000002


 6. Default - Automatic sample submission

This is the default setting to allow using Option One and Option Two.


A) Click/tap on the Download button below to download the file below, and go to step 7 below.​

Default_enable_automatic_sample_submission.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"SubmitSamplesConsent"=-

7 Save the .reg file to your desktop.

8 Double click/tap on the downloaded .reg file to merge it.

9 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

10 You can now delete the downloaded .reg file if you like.


That's it,
Shawn Brink


 

Attachments

  • Always_prompt_automatic_sample_submission.reg
    722 bytes · Views: 352
  • Default_enable_automatic_sample_submission.reg
    696 bytes · Views: 253
  • Never_send_(disable)_automatic_sample_submission.reg
    722 bytes · Views: 317
  • Send_all_samples_automatic_sample_submission.reg
    722 bytes · Views: 197
  • Send_safe_samples_automatic_sample_submission.reg
    722 bytes · Views: 214
Last edited:
Hi @Brink. Much appreciated!

Historically I've always turned Automatic Sample Submission (ASS) off based upon privacy concerns, but Windows, for better or worse, then also automatically disables Smart App Control, and there's no turning back without a Reset. (Based on my activity, Windows eventually gets around to turning this off after evaluation anyway.)

I just did a Reset, and this time, have kept ASS on, but set Group Policy to always prompt.

A:
If a suspicious or malicious file is detected, a sample is sent to the cloud service for analysis while Microsoft Defender Antivirus blocks the file. As soon as a determination is made, which happens quickly, the file is either released or blocked by Microsoft Defender Antivirus.
This implies that Microsoft will send samples for analysis whenever a "suspicious or malicious" file is detected, but without prompting and regardless of the Group Policy Setting. True?

B:
After examining the metadata, if Microsoft Defender Antivirus cloud protection cannot reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:
If I'm understanding correctly, this only takes affect for the incremental cases when Microsoft Defender Antivirus cloud protection cannot reach a "conclusive verdict". True?

So if (?) Defender is automatically sending samples to Microsoft without prompting, is it possible to see what's been sent / when (i.e., an audit trail)? I'd like to monitor this to better assess whether leaving ASS on presents a privacy issue.

Thanks for your input.
 

My Computers

System One System Two

  • OS
    Windows 11 22H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS8950
    CPU
    i7-12700K
    Motherboard
    Z690 : 9D2HH Foxconn, R6PCT Foxconn 2nd
    Memory
    16GB (2 x 8)
    Graphics Card(s)
    Intel(R) UHD Graphics 770 with shared graphics memory
    Sound Card
    Integrated
    Monitor(s) Displays
    Acer CBL282K Smiiprx
    Screen Resolution
    4K UHD (3840 x 2160) @ 60 Hz
    Hard Drives
    Western Digital PC SN810 512 GB M.2 NVMe SSD, PCIe
    PSU
    750W
    Cooling
    2G44F Asetek 125W CPU liquid cooler
    Keyboard
    Arteck Wireless
    Mouse
    Victsing-mm057 wireless
    Internet Speed
    Wi-Fi 6
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)
  • Operating System
    Win 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Dell Vostro 5620
    CPU
    12th Gen Intel Core i7-1260P
    Memory
    2 x 8 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Screen Resolution
    1920 x 1200 @ 60 Hz
    Hard Drives
    NVMe 512 GB
    Case
    Aluminum
    Mouse
    Touchpad
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)
Hello @safron, :alien:

A) I believe that is the default.

B) I'm not sure other than looking at the protection history.

 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Thank you Brink! I'll check out Protection History over time, and make a judgment call before going Scorched-Earth on Defender.
 

My Computers

System One System Two

  • OS
    Windows 11 22H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS8950
    CPU
    i7-12700K
    Motherboard
    Z690 : 9D2HH Foxconn, R6PCT Foxconn 2nd
    Memory
    16GB (2 x 8)
    Graphics Card(s)
    Intel(R) UHD Graphics 770 with shared graphics memory
    Sound Card
    Integrated
    Monitor(s) Displays
    Acer CBL282K Smiiprx
    Screen Resolution
    4K UHD (3840 x 2160) @ 60 Hz
    Hard Drives
    Western Digital PC SN810 512 GB M.2 NVMe SSD, PCIe
    PSU
    750W
    Cooling
    2G44F Asetek 125W CPU liquid cooler
    Keyboard
    Arteck Wireless
    Mouse
    Victsing-mm057 wireless
    Internet Speed
    Wi-Fi 6
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)
  • Operating System
    Win 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Dell Vostro 5620
    CPU
    12th Gen Intel Core i7-1260P
    Memory
    2 x 8 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Screen Resolution
    1920 x 1200 @ 60 Hz
    Hard Drives
    NVMe 512 GB
    Case
    Aluminum
    Mouse
    Touchpad
    Browser
    Vivaldi
    Antivirus
    Windows Defender (native)
@Brink: probe7 tried this (in admin cmd) and got this:

I tried it in PowerShell and got the same thing, but when I tried the words, the command worked.

Set-MpPreference -SubmitSamplesConsent 2 was rejected. Set-MpPreference -SubmitSamplesConsent NeverSend was accepted and turned off enough in Defender to give a warning on the icon.

Set-MpPreference -SubmitSamplesConsent 1 was rejected. Set-MpPreference -SubmitSamplesConsent SendSafeSamples was accepted.

I'm using PS 7.4.0 now, but I was using 7.3.<something> when I tried the first one with "2".

Any idea why the numbers didn't work but the words did, and the response when the numbers were rejected clearly asked for words?

Thanks,

Dan
 

My Computers

System One System Two

  • OS
    11 Pro 24H2 26100.1876
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M920S SFF
    CPU
    i7-9700 @ 3.00GHz
    Motherboard
    Lenovo 3132
    Memory
    32GBDDR4 @ 2666MHz
    Graphics Card(s)
    Intel HD 630 Graphics onboard
    Sound Card
    Realtek HD Audio
    Monitor(s) Displays
    LG E2442
    Screen Resolution
    1920x1080
    Hard Drives
    1 x Samsung 970 EVO PLUS 500GB NVMe SSD, 1 x WD_BLACK SN770
    250GB NVMe SSD (OS and programs), 1 x WD_BLACK SN770
    500GB NVMe SSD (Data)
    Case
    Lenovo SFF
    Keyboard
    Cherry Stream TKL JK-8600US-2 Wired
    Mouse
    LogiTech M510 wireless
    Internet Speed
    Fast (for fixed wireless!)
    Browser
    Chrome, sometimes Firefox
    Antivirus
    Malwarebytes Premium & Defender (working together beautifully!)
  • Operating System
    11 Pro 24H2 26100.1876
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M920S SFF
    CPU
    i5-8400 @ 2.80GHz
    Motherboard
    Lenovo 3132
    Memory
    32GB DDR4 @ 2600MHz
    Graphics card(s)
    Intel HD 630 Graphics onboard
    Sound Card
    Realtek High Definition Audio onboard
    Monitor(s) Displays
    LG FULL HD (1920x1080@59Hz)
    Screen Resolution
    1920 x 1080
    Hard Drives
    1 x Samsung 970 EVO PLUS NVMe; 1 x Samsung 980 NVMe SSD
    Case
    Lenovo Think Centre SFF
    Mouse
    LogiTech M510 wireless
    Keyboard
    Cherry Stream TKL JK-8600US-2 Wired
    Internet Speed
    Fast (for fixed wireless!)
    Browser
    Chrome
    Antivirus
    Malwarebytes Premium and MS Defender, beautiful together
Hello Dan @Wisewiz , :alien:

Looks like a change even though the numbers are still listed below. I'll update the tutorial now.

 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Great. Thank you.
 

My Computers

System One System Two

  • OS
    11 Pro 24H2 26100.1876
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M920S SFF
    CPU
    i7-9700 @ 3.00GHz
    Motherboard
    Lenovo 3132
    Memory
    32GBDDR4 @ 2666MHz
    Graphics Card(s)
    Intel HD 630 Graphics onboard
    Sound Card
    Realtek HD Audio
    Monitor(s) Displays
    LG E2442
    Screen Resolution
    1920x1080
    Hard Drives
    1 x Samsung 970 EVO PLUS 500GB NVMe SSD, 1 x WD_BLACK SN770
    250GB NVMe SSD (OS and programs), 1 x WD_BLACK SN770
    500GB NVMe SSD (Data)
    Case
    Lenovo SFF
    Keyboard
    Cherry Stream TKL JK-8600US-2 Wired
    Mouse
    LogiTech M510 wireless
    Internet Speed
    Fast (for fixed wireless!)
    Browser
    Chrome, sometimes Firefox
    Antivirus
    Malwarebytes Premium & Defender (working together beautifully!)
  • Operating System
    11 Pro 24H2 26100.1876
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M920S SFF
    CPU
    i5-8400 @ 2.80GHz
    Motherboard
    Lenovo 3132
    Memory
    32GB DDR4 @ 2600MHz
    Graphics card(s)
    Intel HD 630 Graphics onboard
    Sound Card
    Realtek High Definition Audio onboard
    Monitor(s) Displays
    LG FULL HD (1920x1080@59Hz)
    Screen Resolution
    1920 x 1080
    Hard Drives
    1 x Samsung 970 EVO PLUS NVMe; 1 x Samsung 980 NVMe SSD
    Case
    Lenovo Think Centre SFF
    Mouse
    LogiTech M510 wireless
    Keyboard
    Cherry Stream TKL JK-8600US-2 Wired
    Internet Speed
    Fast (for fixed wireless!)
    Browser
    Chrome
    Antivirus
    Malwarebytes Premium and MS Defender, beautiful together

Latest Support Threads

Back
Top Bottom