Disable Defender Antivirus cloud protection reporting
Overview
This script improves your privacy on Windows.
These changes use Windows system commands to update your settings.
This script disables Microsoft Defender's cloud protection reporting.
Cloud protection is was previously also known as Microsoft MAPS (Microsoft Active Protection Service) 1 2 3. It was previously known as Windows Defender Antivirus Cloud Protection Service 3 and Microsoft Defender Antivirus Cloud Protection Service 3. It's a feature of Defender Antivirus 1 2 3 4 5.
This feature creates an online community that helps users address potential threats and prevent new malicious software 1 2 3 6 7. Participation in the community is often called SpyNet membership 8 9 or simply membership 1 2 6.
When Defender detects unclassified software or changes, it shows how other members responded to the alert 9. Your participation helps Microsoft and others investigate potential threats 9.
Cloud protection automatically collects and sends information about software, user behavior, and system data 1 2 3. In some cases, it may transmit sensitive personal information to Microsoft 1 2 3.
This feature is off by default on most systems 1 2 3 6 9. However, it may come enabled on some editions, like Windows on Azure.
Disabling cloud protection:
- Enhances privacy by preventing the automatic sharing of potentially sensitive data with Microsoft. While DISA initially recommended disabling cloud protection 8, they later encouraged enabling it for additional security 4. However, CIS continues to recommend deactivation in high-security settings for enhanced privacy 3. This script prioritizes privacy by disabling the feature.
- May improve system performance by reducing background data collection and transmission.
- May reduce protection against new threats by limiting Defender's access to community insights and real-time updates.
This change enhances privacy but may reduce overall system security.
Technical Details
This script configures the following settings:
- Using the Defender CLI to set the
MAPSReporting
preference 6 7. HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!SpynetReporting
to configure the Group Policy (GPO) setting 1 2 3 8 9.HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!LocalSettingOverrideSpynetReporting
to consistently apply the desired Group Policy (GPO) setting 3 5.HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SpynetReporting
: This registry key is undocumented but present in recent versions of Windows. Tests show that changing this value via the CLI also alters the registry value.
This script uses Batch (batchfile) scripting language.
This script is only recommended if you understand its implications. Some non-critical or features may no longer function correctly after running this script.
Implementation Details
-
Language: batch
-
Required Privileges: Administrator rights
-
Compatibility: Windows only
-
Reversibility: Can be undone using provided revert script
Explore Categories
- Disable Defender Antivirus cloud protection
- Disable Defender data collection
- Disable Defender
- Privacy over security
This action belongs to Disable Defender Antivirus cloud protection category. This category contains scripts that disable or limit Microsoft Defender's cloud-based protection features. Microsoft Defender's cloud protection is also known as Microsoft MAPS (Microsoft Active Protection Service) or Microsoft SpyNet. It is an online community that helps detect and prevent the... Read more on category page ▶
This action belongs to Disable Defender data collection category. This category features scripts designed to reduce or eliminate data collection by Defender. Disabling these features enhances privacy by limiting the information shared with Microsoft. Although Microsoft Defender offers security benefits, it also collects data for analysis, service improvement,... Read more on category page ▶
This action belongs to Disable Defender category. This category offers scripts to disable Windows security components related to Defender. Defender is also referred to as Microsoft Defender or Windows Defender. Although designed to protect you, its features may compromise your privacy and decrease computer performance. Privacy concerns... Read more on category page ▶
This action belongs to Privacy over security category. This category configures Windows using 254 scripts. These scripts are organized in 57 categories. The category includes 3 subcategories that include more scripts and categories. Read more on category page ▶
Apply now
Choose one of three ways to apply:
- Automatically via privacy.sexy: The easiest and safest option.
- Manually by downloading: Requires downloading a file.
- Manually by copying: Advanced flexibility.
Alternative 1. Apply with Privacy.sexy
privacy.sexy is free and open-source application that lets securely apply this action easily.
You can fully restore this action (revert back to the original behavior) using the application.
privacy.sexy instructions
- Open or download the desktop application
- Search for the script name:
Disable Defender Antivirus cloud protection reporting
. - Check the script by clicking on the checkbox.
- Click on Run button at the bottom of the page.
Alternative 2. Download
This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.
-
Download the script file by clicking on the button below:
-
Run the script file by clicking on it.
Download revert script
This file restores your system to its original state, before this script is applied.
Alternative 3. Copy
This is for advanced users. Consider automatically applying or downloading the script for simpler way.
- Open Command Prompt as administrator.
HELP: Step-by-step guide
-
Click on Start menu
- Windows 11
- Windows 10
-
Type cmd
- Windows 11
- Windows 10
-
Right click on Command Prompt select Run as administrator
- Windows 11
- Windows 10
-
Click on Yes to run Command Prompt
- Windows 11
- Windows 10
- Windows 11
- Windows 10
- Copy the following code:
PowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'MAPSReporting'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is already `"^""$value`"^"" as desired."^""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) { Write-Warning 'Skipping. Command not found: "^""Set-MpPreference"^"".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is not supported for `"^""$($command.Name)`"^""."^""; exit 0; }; try { Invoke-Expression "^""$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"^""; Set-MpPreference -Force -MAPSReporting $value -ErrorAction Stop; Write-Host "^""Successfully set `"^""$propertyName`"^"" to `"^""$value`"^""."^""; exit 0; } catch { if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "^""Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"^""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') { Write-Host "^""Skipping. Argument `"^""$value`"^"" for property `"^""$propertyName`"^"" is not supported for `"^""$($command.Name)`"^""."^""; exit 0; } else { Write-Error "^""Failed to set using $($command.Name): $_"^""; exit 1; }; }"
:: Set the registry value: "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SpyNetReporting"
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$registryPath = ''HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet'''+"^""`r`n"^""+'$data = ''0'''+"^""`r`n"^""+''+"^""`r`n"^""+'reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet'' `'+"^""`r`n"^""+' /v ''SpyNetReporting'' `'+"^""`r`n"^""+' /t ''REG_DWORD'' `'+"^""`r`n"^""+' /d "^""$data"^"" `'+"^""`r`n"^""+' /f'; Invoke-AsTrustedInstaller $cmd"
:: Set the registry value: "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!LocalSettingOverrideSpynetReporting"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'; $data = '0'; reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' /v 'LocalSettingOverrideSpynetReporting' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!SpynetReporting"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'; $data = '0'; reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' /v 'SpynetReporting' /t 'REG_DWORD' /d "^""$data"^"" /f"
- Right click on command prompt to paste it.
- Press Enter to apply remaining code.
Copy restore code
Copy and run the following code to restore changes:
PowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'MAPSReporting'; $defaultValue = '2'; $setDefaultOnWindows10 = $true <# $false #>; $setDefaultOnWindows11 = $false; $osVersion = [System.Environment]::OSVersion.Version; function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) }; function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }; <# ------ Set-MpPreference ------ #>; if(($setDefaultOnWindows10 -and (Test-IsWindows10)) -or ($setDefaultOnWindows11 -and (Test-IsWindows11))) { if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is already configured as desired `"^""$defaultValue`"^""."^""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) { Write-Warning 'Skipping. Command not found: "^""Set-MpPreference"^"".'; exit 1; }; if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is not supported for `"^""$($command.Name)`"^""."^""; exit 0; }; try { Invoke-Expression "^""$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop"^""; Write-Host "^""Successfully restored `"^""$propertyName`"^"" to its default `"^""$defaultValue`"^""."^""; exit 0; } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "^""Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"^""; } else { Write-Error "^""Failed to set using $($command.Name): $_"^""; }; exit 1; }; }; <# ------ Remove-MpPreference ------ #>; $command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore; if (!$command) { Write-Warning 'Skipping. Command not found: "^""Remove-MpPreference"^"".'; exit 1; }; if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "^""Skipping. `"^""$propertyName`"^"" is not supported for `"^""$($command.Name)`"^""."^""; exit 0; }; try { Invoke-Expression "^""$($command.Name) -Force -$propertyName -ErrorAction Stop"^""; Write-Host "^""Successfully restored `"^""$propertyName`"^"" to its default."^""; exit 0; } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "^""Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"^""; } else { Write-Error "^""Failed to set using $($command.Name): $_"^""; }; exit 1; }"
:: Set the registry value "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SpyNetReporting"
PowerShell -ExecutionPolicy Unrestricted -Command "function Invoke-AsTrustedInstaller($Script) { $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]); $streamFile = New-TemporaryFile; $scriptFile = New-TemporaryFile; try { $scriptFile = Rename-Item -LiteralPath $scriptFile -NewName ($scriptFile.BaseName + '.ps1') -Force -PassThru; $Script | Out-File $scriptFile -Encoding UTF8; $taskName = "^""privacy$([char]0x002E)sexy invoke"^""; schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null; $executionCommand = "^""powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8"^""; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "^""-ExecutionPolicy Bypass -Command `"^""$executionCommand`"^"""^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $action -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null; $timeout = (Get-Date).AddMinutes(5); Write-Host "^""Running as $principalName"^""; while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if ((Get-Date) -gt $timeout) { Write-Warning 'Skipping: Timeout'; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed, due to exit code: $result."^""; } } finally { schtasks.exe /delete /tn $taskName /f | Out-Null; }; Get-Content $streamFile } finally { Remove-Item $streamFile, $scriptFile; }; }; $cmd = '$revertData = ''2'''+"^""`r`n"^""+' '+"^""`r`n"^""+' reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet'' `'+"^""`r`n"^""+' /v ''SpyNetReporting'' `'+"^""`r`n"^""+' /t ''REG_DWORD'' `'+"^""`r`n"^""+' /d "^""$revertData"^"" `'+"^""`r`n"^""+' /f'; Invoke-AsTrustedInstaller $cmd"
:: Delete the registry value "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!LocalSettingOverrideSpynetReporting"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' /v 'LocalSettingOverrideSpynetReporting' /f 2>$null"
:: Delete the registry value "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!SpynetReporting"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' /v 'SpynetReporting' /f 2>$null"
Support
This website relies on your support.
Your donation helps keep the project alive and improves its content ❤️.
Share this page: