What's new in Windows Defender ATP

Applies to:

  • Windows Defender Advanced Threat Protection (Windows Defender ATP)

Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server.

April 2019

In preview

The following capabilities are included in the April 2019 preview release.

  • Threat & Vulnerability Management
    A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.

  • Interoperability
    Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.

March 2019

In preview

The following capability are included in the March 2019 preview release.

February 2019

The following capabilities are generally available (GA).

  • Incidents
    Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.

  • Onboard previous versions of Windows
    Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.

In preview

The following capability are included in the February 2019 preview release.

  • Reports
    The threat protection report provides high-level information about alerts generated in your organization.

  • Microsoft Threat Experts
    Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.

October 2018

The following capabilities are generally available (GA).

  • Attack surface reduction rules
    All Attack surface reduction rules are now supported on Windows Server 2019.

  • Controlled folder access
    Controlled folder access is now supported on Windows Server 2019.

  • Custom detection
    With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.

  • Integration with Azure Security Center
    Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.

  • Managed security service provider (MSSP) support
    Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.

  • Removable device control
    Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.

  • Support for iOS and Android devices
    iOS and Android devices are now supported and can be onboarded to the service.

  • Threat analytics
    Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.

  • New in Windows 10 version 1809, there are two new attack surface reduction rules:

    • Block Adobe Reader from creating child processes
    • Block Office communication application from creating child processes.
  • Windows Defender Antivirus

In preview

The following capabilities are included in the October 2018 preview release.

For more information on how to turn on preview features, see Preview features.

  • Information protection
    Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.


    Partially available from Windows 10, version 1809.

  • Integration with Microsoft Cloud App Security
    Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.


    Available from Windows 10, version 1809 or later.

  • Onboard Windows Server 2019
    Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.

  • Power BI reports using Windows Defender ATP data
    Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.

March 2018

  • Advanced Hunting
    Query data using Advanced hunting in Windows Defender ATP.

  • Attack surface reduction rules
    New attack surface reduction rules:

    • Use advanced protection against ransomware
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    • Block process creations originating from PSExec and WMI commands
    • Block untrusted and unsigned processes that run from USB
    • Block executable content from email client and webmail
  • Automated investigation and remediation
    Use Automated investigations to investigate and remediate threats.


    Available from Windows 10, version 1803 or later.

  • Conditional access
    Enable conditional access to better protect users, devices, and data.

  • Windows Defender ATP Community center
    The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.

  • Controlled folder access
    You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.

  • Onboard non-Windows machines
    Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network.

  • Role-based access control (RBAC)
    Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal.

  • Windows Defender Antivirus
    Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection.

    Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see Enable block at first sight.