Cloud protection works together with Microsoft Defender Antivirus to deliver protection to your devices faster than through traditional security intelligence updates. You can configure your level of cloud protection by using Microsoft Intune (recommended) or Group Policy.
Use Microsoft Intune to specify the level of cloud protection
Right-click the Group Policy Object you want to configure, and then select Edit.
In the Group Policy Management Editor, go to Computer Configuration > Administrative templates.
Expand the tree to Windows Components > Microsoft Defender Antivirus > MpEngine.
Double-click the Select cloud protection level setting, and set it to Enabled.
Under Select cloud blocking level, set the level of protection:
Default blocking level provides strong detection without increasing the risk of detecting legitimate files.
Moderate blocking level provides moderate only for high confidence detections
High blocking level applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
High + blocking level applies extra protection measures (might affect client performance and increase your chance of false positives).
Zero tolerance blocking level blocks all unknown executables.
Caution
If you're using Resultant Set of Policy with Group Policy (RSOP), and Default blocking level is selected, it can produce misleading results, as a setting with a 0 value is read as disabled by RSOP. You can instead confirm the registry key is present in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine or use GPresult.
This module examines how to implement Microsoft Defender for Cloud Apps, which identifies and combats cyberthreats across all your Microsoft and third-party cloud services. MS-102
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
You can configure Microsoft Defender Antivirus to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).