Microsoft Defender Antivirus • Release: 7 Benchmark Date: 05 Jan 2026

CAT II V-213435 WNDF-AV-000011

Microsoft Defender AV must be configured to only send safe samples for MAPS telemetry.

Documentable No
Rule ID SV-213435r961092_rule
CCI References
CCI-001170

Discussion

This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x3) Send all samples automatically

Check Procedure

This is applicable to unclassified systems. For other systems this is NA.

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> MAPS >> "Send file samples when further analysis is required" is set to "Enabled" and "Send safe samples" is selected from the drop-down box.
     
Procedure: Use the Windows Registry Editor to navigate to the following key: 
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet

Criteria: If the value "SubmitSamplesConsent" is REG_DWORD = 1, this is not a finding.

Fix Action

This is applicable to unclassified systems. For other systems this is NA.

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> MAPS >> "Send file samples when further analysis is required" to "Enabled" and select "Send safe samples" from the drop-down box.