Minimum requirements for Microsoft Defender ATP

Applies to:

There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.

Want to experience Microsoft Defender ATP? Sign up for a free trial.


Licensing requirements

Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:

  • Windows 10 Enterprise E5
  • Windows 10 Education A5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 (M365 A5)

For detailed licensing information, see the Product terms page and work with your account team to learn the detailed terms and conditions for the product.

For more information on the array of features in Windows 10 editions, see Compare Windows 10 editions.

For a detailed comparison table of Windows 10 commercial edition comparison, see the comparison PDF.

For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see Protecting Windows Servers with Microsoft Defender ATP.

Browser requirements

Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:

  • Microsoft Edge
  • Internet Explorer version 11
  • Google Chrome


While other browsers might work, the mentioned browsers are the ones supported.

Hardware and software requirements

Supported Windows versions

  • Windows 7 SP1 Enterprise
  • Windows 7 SP1 Pro
  • Windows 8.1 Enterprise
  • Windows 8.1 Pro
  • Windows 10, version 1607 or later
  • Windows server
    • Windows Server 2008 R2 SP1
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server, version 1803 or later
    • Windows Server 2019

Machines on your network must be running one of these editions.

The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported editions.


Machines running mobile versions of Windows are not supported.

Other supported operating systems

  • macOSX
  • Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)


You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.

Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux.

Network and data storage and configuration requirements

When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.


Diagnostic data settings


Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled.

You must ensure that the diagnostic data service is enabled on all the machines in your organization. By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.

Use the command line to check the Windows 10 diagnostic data service startup type:

  1. Open an elevated command-line prompt on the machine:

    a. Go to Start and type cmd.

    b. Right-click Command prompt and select Run as administrator.

  2. Enter the following command, and press Enter:

    sc qc diagtrack

    If the service is enabled, then the result should look like the following screenshot:

    Result of the sc query command for diagtrack

If the START_TYPE is not set to AUTO_START, then you'll need to set the service to automatically start.

Use the command line to set the Windows 10 diagnostic data service to automatically start:

  1. Open an elevated command-line prompt on the endpoint:

    a. Go to Start and type cmd.

    b. Right-click Command prompt and select Run as administrator.

  2. Enter the following command, and press Enter:

    sc config diagtrack start=auto
  3. A success message is displayed. Verify the change by entering the following command, and press Enter:

    sc qc diagtrack

Internet connectivity

Internet connectivity on machines is required either directly or through proxy.

The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.

For more information on additional proxy configuration settings, see Configure machine proxy and Internet connectivity settings.

Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.

Microsoft Defender Antivirus configuration requirement

The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.

You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see Manage Microsoft Defender Antivirus updates and apply baselines.

When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. If your organization has disabled Microsoft Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy.

If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see Onboard servers.


Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.

For more information, see Microsoft Defender Antivirus compatibility.

Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled

If you're running Microsoft Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard.

If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see Ensure that Microsoft Defender Antivirus is not disabled by policy.