Skip to main content

Disable Defender Antivirus automatic file submission to Microsoft

Overview

About this script

This script improves your privacy on Windows.

These changes use Windows system commands to update your settings.

This script disables Defender's automatic submission of file samples to Microsoft for analysis.

Automatic file submission is a feature of Defender Antivirus 1 2 3 4 5 6. By default, Defender automatically sends 'safe' file samples to Microsoft for analysis 1 2.

This action is part of Microsoft's Advanced Protection Service (MAPS) 1 2. Previously, this service was known as Microsoft SpyNet 1 2. It is now referred to as cloud protection 3.

This automatic collection and submission can include your personal information 3.

This script sets the sample submission setting to "Never send" (value 2), preventing any automatic file submissions 1 2 4 5. This enhances privacy by stopping the automatic sharing of potentially sensitive file data with Microsoft. It also improves system performance by reducing background data transfers.

However, this change may reduce Defender's ability to detect new threats, as it relies on sample submissions to improve its detection capabilities. The Defense Information Systems Agency (DISA) recommends against disabling sample submission 3.

Caution

This change enhances privacy but may reduce overall system security.

Technical Details

This script configures the following settings:

  • Using the Defender CLI to set the SubmitSamplesConsent preference 3 4.
  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent to configure the Group Policy (GPO) setting 1 2.
  • HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent [7]. It has enabled value of 1 in recent versions of Windows [7]. Tests show that changing this value via the CLI also alters the registry value.

This script uses Batch (batchfile) scripting language.

Use with Caution

This script is only recommended if you understand its implications. Some non-critical or features may no longer function correctly after running this script.

Implementation Details
  • Language: batch

  • Required Privileges: Administrator rights

  • Compatibility: Windows only

  • Reversibility: Can be undone using provided revert script

Explore Categories

This action belongs to Disable Defender Antivirus cloud protection category. This category contains scripts that disable or limit Microsoft Defender's cloud-based protection features. Microsoft Defender's cloud protection is also known as Microsoft MAPS (Microsoft Active Protection Service) or Microsoft SpyNet. It is an online community that helps detect and prevent the... Read more on category page ▶

Apply now

Choose one of three ways to apply:

  1. Automatically via privacy.sexy: The easiest and safest option.
  2. Manually by downloading: Requires downloading a file.
  3. Manually by copying: Advanced flexibility.

Alternative 1. Apply with Privacy.sexy

privacy.sexy is free and open-source application that lets securely apply this action easily.

Open privacy.sexy

You can fully restore this action (revert back to the original behavior) using the application.

privacy.sexy instructions
  1. Open or download the desktop application
  2. Search for the script name: Disable Defender Antivirus automatic file submission to Microsoft.
  3. Check the script by clicking on the checkbox.
  4. Click on Run button at the bottom of the page.

Alternative 2. Download

Irreversible Changes

This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.

  1. Download the script file by clicking on the button below:

    Download script

  2. Run the script file by clicking on it.

Download revert script

This file restores your system to its original state, before this script is applied.

Download restore script

Alternative 3. Copy

This is for advanced users. Consider automatically applying or downloading the script for simpler way.

  1. Open Command Prompt as administrator.
HELP: Step-by-step guide
  1. Click on Start menu

  2. Type cmd

  3. Right click on Command Prompt select Run as administrator

  4. Click on Yes to run Command Prompt


Animation showing how to open terminal as administrator on Windows 11

  1. Copy the following code:
Code to apply changes
PowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SubmitSamplesConsent'; $value = '2'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is already `"^""$value`"^"" as desired."^""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) { Write-Warning 'Skipping. Command not found: "^""Set-MpPreference"^"".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is not supported for `"^""$($command.Name)`"^""."^""; exit 0; }; try { Invoke-Expression "^""$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"^""; Set-MpPreference -Force -SubmitSamplesConsent $value -ErrorAction Stop; Write-Host "^""Successfully set `"^""$propertyName`"^"" to `"^""$value`"^""."^""; exit 0; } catch { if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "^""Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"^""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') { Write-Host "^""Skipping. Argument `"^""$value`"^"" for property `"^""$propertyName`"^"" is not supported for `"^""$($command.Name)`"^""."^""; exit 0; } else { Write-Error "^""Failed to set using $($command.Name): $_"^""; exit 1; }; }"
:: Set the registry value: "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'; $data = '2'; reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' /v 'SubmitSamplesConsent' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent"
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$registryPath = ''HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet'''+"^""`r`n"^""+'$data = ''2'''+"^""`r`n"^""+''+"^""`r`n"^""+'reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet'' `'+"^""`r`n"^""+' /v ''SubmitSamplesConsent'' `'+"^""`r`n"^""+' /t ''REG_DWORD'' `'+"^""`r`n"^""+' /d "^""$data"^"" `'+"^""`r`n"^""+' /f'; Invoke-AsTrustedInstaller $cmd"
  1. Right click on command prompt to paste it.
  2. Press Enter to apply remaining code.

Copy restore code

Copy and run the following code to restore changes:

Revert code
PowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SubmitSamplesConsent'; $defaultValue = '1'; $setDefaultOnWindows10 = $true <# $false #>; $setDefaultOnWindows11 = $true <# $false #>; $osVersion = [System.Environment]::OSVersion.Version; function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) }; function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }; <# ------ Set-MpPreference ------ #>; if(($setDefaultOnWindows10 -and (Test-IsWindows10)) -or ($setDefaultOnWindows11 -and (Test-IsWindows11))) { if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is already configured as desired `"^""$defaultValue`"^""."^""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) { Write-Warning 'Skipping. Command not found: "^""Set-MpPreference"^"".'; exit 1; }; if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is not supported for `"^""$($command.Name)`"^""."^""; exit 0; }; try { Invoke-Expression "^""$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop"^""; Write-Host "^""Successfully restored `"^""$propertyName`"^"" to its default `"^""$defaultValue`"^""."^""; exit 0; } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "^""Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"^""; } else { Write-Error "^""Failed to set using $($command.Name): $_"^""; }; exit 1; }; }; <# ------ Remove-MpPreference ------ #>; $command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore; if (!$command) { Write-Warning 'Skipping. Command not found: "^""Remove-MpPreference"^"".'; exit 1; }; if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is not supported for `"^""$($command.Name)`"^""."^""; exit 0; }; try { Invoke-Expression "^""$($command.Name) -Force -$propertyName -ErrorAction Stop"^""; Write-Host "^""Successfully restored `"^""$propertyName`"^"" to its default."^""; exit 0; } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "^""Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"^""; } else { Write-Error "^""Failed to set using $($command.Name): $_"^""; }; exit 1; }"
:: Delete the registry value "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' /v 'SubmitSamplesConsent' /f 2>$null"
:: Set the registry value "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent"
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$revertData = ''1'''+"^""`r`n"^""+' '+"^""`r`n"^""+' reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet'' `'+"^""`r`n"^""+' /v ''SubmitSamplesConsent'' `'+"^""`r`n"^""+' /t ''REG_DWORD'' `'+"^""`r`n"^""+' /d "^""$revertData"^"" `'+"^""`r`n"^""+' /f'; Invoke-AsTrustedInstaller $cmd"

Support

This website relies on your support.

Support now

Your donation helps keep the project alive and improves its content ❤️.

Share this page: