Block at First Sight feature in Windows Defender

The feature uses machine learning technique to identify if the program is malicious or not. If it fails to make a distinction between the genuine or fake product, a copy of the program is sent to Microsoft cloud protection for checking. If Microsoft suspects the program to be malicious, Windows Defender is signaled to block it. The main advantage of this process is that in most cases it has managed to reduce the response time to new malware from hours to seconds. Block at First Sight is enabled by default. It is automatically turned on, so long your Cloud-based protection and Automatic sample submission are enabled. If you wish to confirm  whether Block at First Sight is enabled on individual clients, do the following: Open Settings > Update & Security > Windows Defender.

Make sure that Cloud-based Protection and Automatic sample submission are switched to ‘On’.

Block at First Sight Group Policy setting

Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit. Next, in the Group Policy Management Editor navigate to Computer configuration. Then, click Policies and choose ‘Administrative templates’. Now, expand the tree to Windows components and go to Windows Defender > MAPS and configure the following Group Policies:

Always Prompt  (0)Send safe samples (1)Never Send (Block at First Sight will not function)  (2)Send all samples (3)

Now, in the Group Policy Management Editor, expand the tree to Windows components > Windows Defender > Real-time Protection:

How to disable Block at First Sight feature in Windows Defender

You can disable Block at First Sight with Group Policy. To do so, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit. In the Group Policy Management Editor go to Computer configuration and click Policies and chose Administrative templates. Expand the tree through Windows components > Windows Defender > MAPS. Double-click the Configure the ‘Block at First Sight’ feature setting and set the option to ‘Disabled’.

You may choose to disable the Block at First Sight feature  if you are experiencing latency issues or you want to test the feature’s impact on your network. Block at First Sight is a great feature of Windows Defender Cloud Protection that provides a way to detect and block new malware within seconds. Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer “Running security scan” message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files, says Microsoft.

How do I turn on Block at First Sight?

To turn on the Block at First Sight setting in Windows Security in Windows 11 or Windows 10, you have multiple options, and all of them are mentioned above. It is possible to disable the Block at first sight functionality with the help of Windows Security settings and the Local Group Policy Editor. In the GPEDIT, you need to navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS. Then, you can double-click on the Configure the “Block at First Sight” feature setting and choose the Enabled option.

How do I turn on exceptions in Windows 11/10 Defender?

It is possible to skip a file in Windows Security in Windows 11/10. For that, you need to create an exclusion in the Windows Security app. For your information, you can exclude files, folders, file types, and processes. If you want to turn on exceptions in Windows Security, follow this detailed guide. Wait there are more such settings! This post shows how you can harden Windows Defender protection to the highest levels on Windows 10 v1703 by changing a few Group Policy settings.