Minimum requirements for Windows Defender ATP

Applies to:

  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows Defender Advanced Threat Protection (Windows Defender ATP)

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

There are some minimum requirements for onboarding machines to the service.

Want to experience Windows Defender ATP? Sign up for a free trial.

Minimum requirements

You must be on Windows 10, version 1607 at a minimum. For more information, see Windows 10 Enterprise edition.

Licensing requirements

Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:

  • Windows 10 Enterprise E5
  • Windows 10 Education E5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5

For more information, see Windows 10 Licensing.

Network and data storage and configuration requirements

When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter.

Note

Hardware and software requirements

The Windows Defender ATP agent only supports the following editions of Windows 10:

  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 10 Pro
  • Windows 10 Pro Education

Machines on your network must be running one of these editions.

The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions.

Note

Machines that are running mobile versions of Windows are not supported.

Internet connectivity

Internet connectivity on machines is required either directly or through proxy.

The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.

For more information on additional proxy configuration settings see, Configure machine proxy and Internet connectivity settings .

Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.

Diagnostic data settings

You must ensure that the diagnostic data service is enabled on all the machines in your organization. By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.

Use the command line to check the Windows 10 diagnostic data service startup type:

  1. Open an elevated command-line prompt on the machine:

    a. Go to Start and type cmd.

    b. Right-click Command prompt and select Run as administrator.

  2. Enter the following command, and press Enter:

    sc qc diagtrack
    

If the service is enabled, then the result should look like the following screenshot:

Result of the sc query command for diagtrack

If the START_TYPE is not set to AUTO_START, then you'll need to set the service to automatically start.

Use the command line to set the Windows 10 diagnostic data service to automatically start:

  1. Open an elevated command-line prompt on the endpoint:

    a. Go to Start and type cmd.

    b. Right-click Command prompt and select Run as administrator.

  2. Enter the following command, and press Enter:

    sc config diagtrack start=auto
    
  3. A success message is displayed. Verify the change by entering the following command, and press Enter:

    sc qc diagtrack
    

Windows Defender Antivirus signature updates are configured

The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.

You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see Manage Windows Defender Antivirus updates and apply baselines.

When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.

Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see Onboard servers.

For more information, see Windows Defender Antivirus compatibility.

Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled

If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard.

If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see Ensure that Windows Defender Antivirus is not disabled by policy.

Want to experience Windows Defender ATP? Sign up for a free trial.