Title

Microsoft Active Protection Service membership must be disabled. (Cat II impact)

Discussion

Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting disables Microsoft Active Protection Service membership and reporting.

Check Content

If the following registry value exists and is set to "1" (Basic) or "2" (Advanced), this is a finding. If the following registry value does not exist, this is not a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\ Value Name: SpyNetReporting Type: REG_DWORD Value: 1 or 2 = a Finding

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender >> MAPS >> "Join Microsoft MAPS" to "Disabled".

Additional Identifiers

Rule ID: SV-48251r4_rule

Vulnerability ID: V-15713

Group Title: Defender – SpyNet Reporting

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.