Title

Windows Defender AV must be configured to disable local setting override for reporting to Microsoft MAPS. (Cat II impact)

Discussion

This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.

Check Content

This is applicable to unclassified systems, for other systems this is NA. Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Configure local setting override for reporting to Microsoft MAPS" is set to "Disabled" or "Not Configured". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\Spynet Criteria: If the value "LocalSettingOverrideSpynetReporting" is REG_DWORD = 0, this is not a finding. If the value does not exist, this is not a finding. If the value is 1, this is a finding.

Fix Text

This is applicable to unclassified systems, for other systems this is NA. Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Configure local setting override for reporting to Microsoft MAPS" to "Disabled" or "Not Configured".

Additional Identifiers

Rule ID: SV-213432r569189_rule

Vulnerability ID: V-213432

Group Title: SRG-APP-000210

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.