Windows Defender Advanced Threat Protection

Applies to:

  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows Defender Advanced Threat Protection (Windows Defender ATP)

Want to experience Windows Defender ATP? Sign up for a free trial.

For more info about Windows 10 Enterprise Edition features and functionality, see Windows 10 Enterprise edition.

Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.

Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see Windows Defender ATP for Windows 10 Creators Update.

Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:

  • Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.

  • Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

  • Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.

The following diagram shows these Windows Defender ATP service components:

Windows Defender ATP service components

Endpoint investigation capabilities in this service let you drill down into security alerts and understand the scope and nature of a potential breach. You can submit files for deep analysis and receive the results without leaving the Windows Defender ATP portal.

Windows Defender ATP works with existing Windows security technologies on endpoints, such as Windows Defender Antivirus, AppLocker, and Windows Defender Device Guard. It can also work side-by-side with third-party security solutions and antimalware products.

Windows Defender ATP leverages Microsoft technology and expertise to detect sophisticated cyber-attacks, providing:

  • Behavior-based, cloud-powered, advanced attack detection

    Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.

  • Rich timeline for forensic investigation and mitigation

    Easily investigate the scope of breach or suspected behaviors on any machine through a rich machine timeline. File, URLs, and network connection inventory across the network. Gain additional insight using deep collection and analysis (“detonation”) for any file or URLs.

  • Built in unique threat intelligence knowledge base

    Unparalleled threat optics provides actor details and intent context for every threat intel-based detection – combining first and third-party intelligence sources.

In this section

Topic Description
Minimum requirements This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware and software requirements, and deployment channels.
Preview features Learn about new features in the Windows Defender ATP preview release and enable the preview experience.
Data storage and privacy Learn about how Windows Defender ATP collects and handles information and where data is stored.
Assign user access to the Windows Defender ATP portal Before users can access the portal, they'll need to be granted specific roles in Azure Active Directory.
Onboard endpoints and set up access You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
Portal overview Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks.
Use the Windows Defender Advanced Threat Protection portal Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
Pull alerts to your SIEM tools Learn about pulling alerts from the Windows Defender ATP portal using supported security information and events management (SIEM) tools.
Use the threat intelligence API to create custom alerts Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
Use the Windows Defender ATP exposed APIs Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities.
Create and build Power BI reports using Windows Defender ATP data Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI.
Check sensor state Check the sensor health state on endpoints to verify that they are providing sensor data and communicating with the Windows Defender ATP service.
Configure Windows Defender ATP preferences settings Use the Preferences setup menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
Access the Windows Defender ATP Community Center The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
Windows Defender ATP settings Configure time zone settings and view license information.
Windows Defender ATP service health Verify that the service health is running properly or if there are current issues.
Troubleshoot Windows Defender Advanced Threat Protection This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
Review events and errors on endpoints with Event Viewer Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
Windows Defender Antivirus compatibility with Windows Defender ATP Learn about how Windows Defender Antivirus works in conjunction with Windows Defender ATP.

Windows Defender ATP helps detect sophisticated threats