Manage Privacy: Windows Defender and Resulting Internet Communication
Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8
In this section
Overview: Using Windows Defender and information from the MAPS community in a managed environment
How Windows Defender communicates with Internet sites without a MAPS membership
How Windows Defender communicates with Internet sites when combined with MAPS
Procedures for configuring Windows Defender
This section discusses how Windows Defender communicates across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users.
Benefits and purposes of Windows Defender and the online Microsoft Active Protection Service community
Windows Defender
With Windows Defender, users can be alerted when spyware, malware, adware, random toolbars and such attempts to install or run on their computers. Windows Defender also alerts users when programs attempt to change important settings in the Windows operating system.
With Windows Defender, users can schedule scans on a regular basis, and they can be alerted to harmful software that is detected or removed during the scan.
Windows Defender receives updates to respond to evolving malicious and potentially unwanted software. It is designed to automatically update by using the Windows Update service. It can also be updated from a WSUS server in an environment with Windows Server Update Services (WSUS). The following list briefly describes how Windows Defender obtains updates:
If Windows Defender is enabled, by default it checks for software updates and updated definitions of spyware and other potentially unwanted software before each scheduled scan. It checks for these updates on the Windows Update service (or in an environment with WSUS, it checks a WSUS server). This check for updates helps ensure that Windows Defender uses the latest available software and definitions when scanning.
Scheduled scans occur daily by default, so these checks for software updates also occur daily by default.
Through commands on the Help menu, the user can request that Windows Defender check immediately for updated definitions. Users can also view a web-based privacy statement.
For more details about how Windows Defender checks for software updates, see How Windows Defender communicates with Internet sites without a MAPS membership later in this section.
The online Microsoft Active Protection Service community
The online Microsoft Active Protection Service (MAPS) community is designed to help Microsoft continually update and improve definitions of malware, spyware and other potentially unwanted software and to help Microsoft improve Windows Defender and related technologies.
New types and versions of potentially unwanted software are emerging regularly, so MAPS reports help Microsoft researchers discover new threats more rapidly and determine which software to investigate. For example, if many people remove software that has not yet been classified, Microsoft analyzes that software to see if it should be included in future definitions. MAPS uses these definitions to detect and block malware.
Joining the online Microsoft Active Protection Service community is optional, but it is recommended. When the computer is first started, prompts appear that recommend steps that can help protect the computer. These include joining the online Microsoft Active Protection Service community.
Overview: Using Windows Defender and information from the MAPS community in a managed environment
In a managed environment, Windows Defender can help keep potentially unwanted software off of users' computers and help prevent potentially unwanted software from causing issues. Membership in the online MAPS community can provide additional information that might be useful when you are making decisions about questionable software.
If you choose to use other solutions to defend against malware and other potentially unwanted software, you can configure Windows Defender to:
Use Group Policy settings to prevent users from running Windows Defender.
Use Group Policy settings to limit access to resources such as the online MAPS community by allowing only designated people to become members.
Check your WSUS servers for updates. (You must have WSUS set up in your environment for this option.) If the WSUS servers are unavailable, Windows Defender checks the Windows Update website to ensure that it is using the latest definitions when scanning.
For more information, see Windows Server Update Services.
How Windows Defender communicates with Internet sites without a MAPS membership
The following list describes how Windows Defender communicates with sites on the Internet when users do not have membership in the online MAPS community. Communication that results with Basic or Advanced membership in the online MAPS community is described in the next section.
When enabled by itself, Windows Defender communicates with sites on the Internet as follows:
Specific information received: The following list describes the information that is received in specific situations:
Each time Windows Defender performs a scheduled scan (if there is a connection to the Internet). By default Windows Defender checks the Windows Update website for software updates and updated definitions. This is the same process that is used to check for updates for other operating system features, which means that the information sent includes the version of the current set of definitions. If updates are available, they are downloaded by Windows Defender.
When the user clicks Help options, and then clicks Check for updates. Windows Defender performs the same check described in the previous item.
When the user clicks Help options, and then clicks View Privacy Statement Online. The privacy statement is displayed:
Windows 8 and Windows Server 2012 Privacy Statement or Windows 8.1 and Windows Server 2012 R2 privacy statement
Default settings: If Windows Defender is enabled, by default it scans the computer daily. (A prompt that recommends Windows Defender be enabled is displayed the first time the computer is started after setup.)
Triggers: When Windows Defender performs a scheduled scan, by default it also searches the Windows Update Web servers for the latest definition file. To cause Windows Defender to check immediately for updates or to display the privacy statement online, the user must click the Help options that are offered.
User notification: When a scan is in progress and the Windows Defender interface is open, status about the scan is displayed. Also when a scan is in progress, the user can click the Windows Defender icon in the notification area to view status.
Logging: Windows Defender logs the following types of information on the local computer:
Events are logged in Event Viewer in the System log.
Update failures are logged to systemroot**\Temp\Mpsigstub.log**.
Actions taken to protect against spyware or potentially unwanted software are logged in the same location as other events for that software.
Encryption: Windows Defender uses the same encryption methods as Windows Update, which means initial data is transferred by using HTTPS, and updates are transferred by using HTTP.
Access: Microsoft staff maintains the functionality of the Windows Update Web servers, and as part of maintaining the servers, they monitor the version information that Windows Defender sends when it checks for updates.
Privacy: To view the privacy statement, see Windows 8 and Windows Server 2012 Privacy Statement or Windows 8.1 and Windows Server 2012 R2 privacy statement.
Transmission protocol and port: Windows Defender uses the same transmission protocols and ports as Windows Update: HTTP with port 80 and HTTPS with port 443.
Ability to disable: You can disable Windows Defender through Control Panel or Group Policy.
How Windows Defender communicates with Internet sites when combined with MAPS
The following list describes communication that results from using Windows Defender with membership in the online MAPS community. When a user has joined the online MAPS community, Windows Defender communicates with sites on the Internet as follows:
Specific information sent: The following list describes the information that is sent depending on the level of membership in MAPS. The information is sent whenever Windows Defender detects software that has not been analyzed for risks or malware:
For Basic members: The report that is sent by Windows Defender to the MAPS website includes the following information:
About the computer: A randomly generated, globally unique identifier (GUID) that is used to uniquely identify the computers of MAPS members when they communicate with the MAPS website. (Windows Defender creates the GUID unless the operating system was upgraded from Windows XP, in which case the GUID might have been created previously by the Microsoft Malicious Software Removal Tool running on Windows XP.) This GUID does not contain any personal information.
Information collected about the computer also includes the operating system name and version (including any service packs that have been applied), the web browser software and version, and identifiers for the country or region and locale. In addition, the report might contain information related to the possible presence of spyware or other potentially unwanted software—for example, information about registry key entries that control actions such as automatically starting an application when the system starts.
About the software in question: This information includes the file name, size, date stamps, and where applicable, vendor and cryptographic hashes. In addition, full URLs can be collected that indicate the origin of the file. Windows Defender attempts to filter out personal information in the URL and in the fil paths for Basic members. The report can also include the action that the user chose to take when the program was detected (Block or Allow).
Note
The user's membership in MAPS means that the user might sometimes see a pop-up request for a Sample Submission report. This report requests specific files that Microsoft suspects might be potentially unwanted software on a computer, and these files are used for further analysis. The report is sent only if the user consents.
For Advanced members: The report that is sent to the MAPS website includes the information that is sent with a Basic membership, plus additional details about the software in question including file paths and partial memory dumps. These file paths and partial memory dumps might unintentionally contain personal information. If any personal information is included in a report, the information is not used to identify or contact a user.
Note
The user's membership in MAPS means that the user might sometimes see a pop-up request for a Sample Submission report. This report requests specific files that Microsoft suspects might be potentially unwanted software on a computer, and these files are used for further analysis. The report is sent only if the user consents.
Default settings: If a person opts-in to MAPS during the Windows Defender configuration process, the membership is a Basic membership by default.
Triggers: When Windows Defender detects software that has not been analyzed for risks (that is, software not previously categorized in the Windows Defender definition file) and the user is a member of MAPS, Windows Defender sends a report about the software in question.
User notification: For Basic MAPS members, the user notification is the same as for anyone using Windows Defender. For more information, see How Windows Defender communicates with Internet sites without a MAPS membership earlier in this section.
For Advanced MAPS members, if software is present that has not yet been classified for risk, and it attempts to change computer settings, a prompt asks whether to allow or block the change. (For users who are Basic MAPS members, such software is not blocked.)
Logging: Logging for Windows Defender does not change when the user is a MAPS member. For more information, see How Windows Defender communicates with Internet sites without a MAPS membership earlier in this section.
Encryption: Windows Defender uses Secure Sockets Layer (SSL) to encrypt the information that it sends to MAPS.
Access: MAPS reports are used to improve Microsoft software and services. The reports may also be used for statistical or other testing or analytical purposes, trending, and signature generation. Only Microsoft employees, contractors, and vendors who have a business need to use the reports are provided access to them.
Privacy: To view the privacy statement, which covers MAPS, see Windows 8 and Windows Server 2012 Privacy Statement or Windows 8.1 and Windows Server 2012 R2 privacy statement.
Transmission protocol and port: When Windows Defender sends information to MAPS, it uses HTTPS with port 443.
Ability to disable: A user can decline or end membership in MAPS from an individual computer and an administrator can prevent users from being members by using a Group Policy setting.
Procedures for configuring Windows Defender
This subsection provides procedures for:
Viewing or changing Windows Defender settings, including MAPS settings.
Disabling Windows Defender by using Group Policy.
Preventing MAPS membership by using Group Policy.
To view or change Windows Defender and MAPS settings
Open Control Panel, and then click Windows Defender.
Click Settings, and then click MAPS.
View or change the settings, and then click Cancel or Save changes.
To disable Windows Defender by using Group Policy
Using an account with domain administrative credentials, sign, open Group Policy Management Console (GPMC) or Group Policy Object Editor, and then edit an appropriate Group Policy Object (GPO).
Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Defender.
In the details pane, double-click Turn off Windows Defender, and then click Enabled.
Note
If this Group Policy setting is enabled, the user can still click the command to open Windows Defender. However, Windows Defender displays a pop-up window that says it is turned off by Group Policy.
To prevent Windows Active Protection Service membership by using Group Policy
Using an account with domain administrative credentials, sign, open the Group Policy Management Console by running gpmc.msc, and then edit an appropriate GPO.
Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Defender.
For Windows 8: In the details pane, double-click Configure Microsoft Active Protection Service Reporting, click Enabled, and then click No Membership.
Important
To prevent Microsoft Active Protection Service reporting, do not disable this setting. You can only block Microsoft Active Protection Service reporting by enabling this setting and then choosing No Membership.
For Windows 8.1: In the navigation pane, expand MAPS and then in the details pane, double-click Join Microsoft MAPS and choose Disabled.
Additional references
For more information, see the following Microsoft websites: