SOLVED: How To Enable BLOCK AT FIRST SITE in Windows Defender SCEP Using SCCM or GPO in Windows 10 1607

If you have deployed Windows 10 Anniversary 1607 and are using Windows Defender you should be very interested in the new BLOCK ON FIRST SIGHT feature.  When a user runs a program that Defender has never seen before, BLOCK ON FIRST SIGHT, sends a metadata about the file to a Microsoft cloud service.  That service uses heuristics and machine learning to figure out of the program is malicious.  If it cannot make that determination, a copy of the program is sent to Microsoft and if they think it might be malicious, it will tell Defender to block it.

This process typically takes just 1 to 4 seconds and only occurs the first time a user runs a new program so they are unlikely to notice the delay.

This is a great way to keep your company safe and if you are using System Center Endpoint Protection (= corporate version of Defender) you can easily enable this feature.

You need to have both CLOUD BASED PROTECTION and AUTOMATIC SAMPLE SUBMISSION turned on.  This can be done in current versions of SCEP (i.e. build 1511 or newer) or through a GPO:

  1. COMPUTER CONFIGURATION > POLICIES > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > WINDOWS DEFENDER > JOIN MICROSOFT MAPS – set to ENABLED
  2. COMPUTER CONFIGURATION > POLICIES > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > WINDOWS DEFENDER > MAPS > BLOCK AT FIRST SITE – set to ENABLED

You can manually set it up on a single PC by:

  • START button > SETTINGS > UPDATE & SECURITY > WINDOWS DEFENDER – enable both CLOUD BASED PROTECTION and AUTOMATIC SAMPLE SUBMISSION

For more details see:

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-block-at-first-sight
NOTE: this article implies that SCCM is not supported but I have confirmed that it is .  If you are a Microsoft Partner you can read my thread HERE.

Published by
Ian Matthews

This website uses cookies.