Privacy protection is a feature that's included with Microsoft Defender for individuals. This feature encrypts your internet traffic and hides your internet address (IP address) from prying eyes. It gives you 50GB of monthly data limit (per user) to browse the web securely and anonymously. Microsoft Defender helps protect your privacy and security when you are on public Wi-Fi or an untrusted network, where your data and identity could be exposed or stolen. Privacy protection is easy to use, fast, and reliable. You can turn it on and off with a single click, and it'll automatically select the best server for you.

Privacy Protection is  supported on all of the device platforms supported by Microsoft Defender - Windows, macOS, Android and iOS. See availability info for more details

Note: Microsoft doesn't recommend using a personal VPN on devices that are managed by your workplace, including Microsoft Defender VPN. This helps prevent any potential conflicts with policies that are required by your organization.

In this article:

Frequently asked questions

What regions and platforms currently support Privacy protection?

Privacy protection is currently available to Microsoft Defender users with a Microsoft 365 Personal, Family subscription if their Microsoft 365 billing country is in one of the below listed countries

  • US

  • UK

  • Canada

  • Germany

  • France

  • Sweden

  • Spain

  • Italy

  • Japan

  • Australia

  • South Africa

We'll continue to add support for additional countries, so this section will be updated as we add additional regions.

Supported platforms: Windows, macOS, Android and iOS

What is Privacy protection and how will it help me?

Privacy protection is a feature that creates a secure tunnel, also known as a VPN (Virtual Private Network) between your device and our servers, using encryption and authentication protocols. This helps ensure your internet traffic is protected from anyone who might try to intercept, monitor, or modify it. Privacy protection also masks your IP address, which is a unique Internet address/identifier of your device and location and assigns you a new one. This helps prevent websites, advertisers, and trackers from collecting your personal information and browsing habits.

To setup Privacy protection, simply select/tap on to the Privacy protection tile on the Microsoft Defender app and follow the on-screen instructions.

How does Privacy protection work, and can I select my geo location/source?

Privacy protection works by routing your internet traffic through Microsoft servers, which are in different countries around the world. You can turn on privacy protection by selecting the button in your browser or app, and it'll automatically connect you to the server assigned to your region. Our focus is on protecting your connection and privacy when you are on a public/unsecure network. However, you can still enjoy the benefits of changing your IP address to enhance your online security.

Microsoft Defender's VPN uses a custom implementation of the OpenVPN protocol.

Can I select a specific region/geo that I can connect to?

No, privacy protection automatically chooses the best and usually the closest Microsoft VPN server. Privacy protection doesn't allow you to specify regions. Privacy Protection enables you to keep your data private while connecting to unsecured public Wi-Fi and prevents it form being used to bypass geographic and regional-restricted content.

What is the data limit and what happens when I exceed that?

Privacy protection gives a monthly data limit of 50GB per user, which is enough for most users to browse the web securely and anonymously. You can check your data usage in the ‘Privacy Protection’ tile of your Microsoft Defender app. Here, you can see how much data you've left and when your data limit will reset. If you exceed your data limit, you'll still be able to use privacy protection, however, at a reduced speed of 256 Kbps. On the first day of every calendar month, the usage limit is reset to 50GB for that month.

What is traffic exclusion and which applications are excluded and why?

Note: Currently, traffic exclusion is only available on Andorid and iOS.

Traffic exclusion allows privacy protection to exclude certain applications from using its encrypted tunnel or connection. This means that those applications will use your regular internet connection, not the VPN tunnel, while privacy protection is active. Currently, content heavy traffic from reputable sites, such as streaming, social media apps are excluded. The following list shows some of the apps that are currently excluded:

  • Video: YouTube, TikTok, Netflix, Disney+, Amazon Prime

  • Social: Facebook video, Instagram, Snapchat

  • Music: Spotify, YouTube music

  • Messaging: Whatsapp

What data does Microsoft Defender collect with Privacy protection?

Microsoft Defender VPN provides a secure browsing experience. Microsoft doesn't store your browsing data, history, personal details or your device's physical location. Microsoft does, however, capture a minimum set of service data. This data is collected from your device, anonymized, and sent to Microsoft so we can continuously improve our service.

This anonymized service data contains service details such as the following:

  • Duration for when the VPN is in use

  • VPN bandwidth utilized

  • Wi-Fi hotspot names that are detected as malicious to enhance our threat research (if user consent was provided)

Why does Microsoft Defender need the 'Location' permission on Android?

Microsoft Defender needs the Location permission on Android to detect unsecure Wi-Fi networks that your device might connect to and notify you with action that you can take, such as turning on the Microsoft Defender VPN to encrypt your device's internet traffic for additional safety when on unsecure Wi-Fi. We don't see or store your device's physical location.

Safer public Wi-Fi with Microsoft Defender

What are the risks associated with public Wi-Fi?

Public Wi-Fi is convenient but might not necessarily be secure. Some Wi-Fi hotspots might be configured with weaker encryption or with no authentication. This allows attackers to potentially snoop into your personal data when connected to these Wi-Fi networks. Here are a few attack techniques that could compromise your privacy and security when on unsecure Wi-Fi.

a. Evil Twin attack

Hackers could setup up a router in your vicinity with the same hotspot name as popular coffee shops or public places that offer free Wi-Fi. Your phone automatically connects to it because you’ve previously connected to it.

b. Man-in-the-middle (MiTM)

Cyber-criminals might set up ‘Free' Wi-Fi hotspots that trick you into connecting to them and they might be able to entice you to enter your personal or login info on what might appear as a popular legit site, but is actually a malicious version put up by the hacker. Hackers might also exploit vulnerabilities in a legit public Wi-Fi network to their advantage, leaving your personal data vulnerable.

How does Privacy protection help you with a safer public Wi-Fi experience?

When you connect to a Wi-Fi network, Microsoft Defender silently scans the connected Wi-Fi to determine if it's secure. If it is not, you'll receive a notification with on-screen guidance recommending that you turn on the Defender VPN. This can be done quickly and easily.

With Microsoft Defender VPN turned on, traffic is encrypted from your device through the connected Wi-Fi thereby providing a safer online experience.

Note: Wired networks aren't scanned by Microsoft Defender and only Wi-Fi networks are scanned.

How can I setup a Safer Wi-Fi experience on my Microsoft Defender app?

Safer Wi-Fi is a part of the Privacy protection feature on Microsoft Defender for individuals. Privacy protection (VPN) is available in select countries. Find out which regions currently offer privacy protection.

See the following instructions on how you can turn on Privacy protection (VPN) for your Defender protected devices.

  1. Open Microsoft Defender on your device. Select the system tray on the leftmost side of the task bar.

  2. Check for the Privacy protection tile in the Microsoft Defender Windows app. If you can see it, then the Wi-Fi scanning feature is turned on by default.

  3. Go to Settings and select Privacy & Security > Privacy protection.

  4. Ensure Safer Wi-Fi is turned on. You can verify this by ensuring that the Safer Wi-Fi toggle is set to 'on.'

This feature is not yet available for macOS, but will be coming soon. 

  1. Open Microsoft Defender on your Android device.

  2. Check for the Privacy protection. If you see the Privacy protection card, tap it and follow the instructions on the screen to complete onboarding.

  3. Tap the Safer Wi-Fi tab and follow the on screen instructions to complete the Safer Wi-Fi onboarding.

    Note:  Location permission is required for the Wi-Fi scanning functionality to work.  Microsoft Defender doesn't collect your location details and only the Android permission is required to scan Wi-Fi networks that you connect to.

  4. Ensure Safer Wi-Fi is turned on. You can verify this by ensuring that the Safer Wi-Fi toggle is set to 'on.'

  1. Open Microsoft Defender on your iOS device.

  2. Check for the Privacy protection tile. If you see the Privacy protection card, tap it and follow the instructions on the screen to onboard.

  3. Go to the Safer Wi-Fi tab and verify the Safer Wi-Fi toggle is set to 'on.' Safer Wi-Fi should be turned on by default.

Why did Microsoft Defender describe a Wi-Fi hotspot as unsafe?

Un-secured Wi-Fi detection

Microsoft Defender examines the Wi-Fi network that is connected to your device on parameters including but not limited to such as encryption type, before notifying you of its un-secure status. If you received an unsecured Wi-Fi notification from Microsoft Defender, it's recommended to turn on Microsoft Defender VPN by engaging with the notification and following on-screen instructions.

Wi-Fi networks that require you to sign in through a captive portal (such as a hotel/airport Wi-Fi) could also be flagged by Microsoft Defender as they don't require you to authenticate (such as requiring a password) before connecting to them and can't be assumed to be secure.

Unsafe Wi-Fi detection

Microsoft Defender might detect a Wi-Fi network as unsafe if the Wi-Fi's characteristics match one or more of the detection heuristics that Microsoft Defender uses to scan Wi-Fi networks. These heuristics indicate that there is a likelihood of malicious activity occurring on that Wi-Fi network. If you see such a detection, we recommend to turn on Microsoft Defender VPN to encrypt traffic from your device for added safety.

Note: Microsoft Defender for Windows and macOS supports unsecure Wi-Fi detection but doesn't currently support unsafe Wi-Fi detection. This capability is coming soon to both Windows and macOS.

What does Trust this network help with?

Microsoft Defender allows you to trust a Wi-Fi network that it flagged using the Trust this network option if you want to override its detection. While it is not recommended to connect to an unsecure Wi-Fi without a VPN, this capability allows you to trust a Wi-Fi network that was flagged by Microsoft Defender at your own risk. Microsoft Defender will not notify you about such Wi-Fi networks if they are in the trusted list.

When your device(s) is connected to a Wi-Fi network in your trusted list, traffic from that device won't go through Microsoft Defender VPN.

Facebook LinkedIn Email

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders