Configure advanced features in Windows Defender ATP

Applies to:

Want to experience Windows Defender ATP? Sign up for a free trial.

Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with.

Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:

Automated investigation

When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see Automated investigations.

Auto-resolve remediated alerts

For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.


For tenants created prior that version, you'll need to manually turn this feature on from the Advanced features page.


  • The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
  • If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.

Block file

This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see Block files in your network for more details.

If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.

Show user details

When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:

  • Security operations dashboard
  • Alert queue
  • Machine details page

For more information, see Investigate a user account.

Skype for Business integration

Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.


When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.

Azure Advanced Threat Protection integration

The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.


You'll need to have the appropriate license to enable this feature.

Enable the Windows Defender ATP integration from the Azure ATP portal

To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.

  1. Login to the Azure portal with a Global Administrator or Security Administrator role.

  2. Click Create a workspace or use your primary workspace.

  3. Toggle the Integration setting to On and click Save.

When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.

Office 365 Threat Intelligence connection

This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.

When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Windows Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.


You'll need to have the appropriate license to enable this feature.

To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see Office 365 Threat Intelligence overview.

Microsoft Threat Experts

This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it.


This feature will be available with an E5 license for Enterprise Mobility + Security on machines running Windows 10, version 1709 (OS Build 16299.1085 with KB4493441), Windows 10, version 1803 (OS Build 17134.704 with KB4493464), Windows 10, version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions.

Microsoft Cloud App Security

Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.


This feature is available with an E5 license for Enterprise Mobility + Security on machines running Windows 10 version 1809 or later.

Azure Information Protection

Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.

Microsoft Intune connection

This feature is only available if you have an active Microsoft Intune (Intune) license.

When you enable this feature, you'll be able to share Windows Defender ATP device information to Intune and enhance policy enforcement.


You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature.

Preview features

Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.

You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.

Enable advanced features

  1. In the navigation pane, select Preferences setup > Advanced features.
  2. Select the advanced feature you want to configure and toggle the setting between On and Off.
  3. Click Save preferences.