Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection

jcaparas|Last Updated: 1/25/2017


4 Contributors

Applies to:

  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows Defender Advanced Threat Protection (Windows Defender ATP)

Want to experience Windows Defender ATP? Sign up for a free trial.

For more info about Windows 10 Enterprise Edition features and functionality, see Windows 10 Enterprise edition.

Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.

Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft’s robust cloud service:

  • Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
  • Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as theMicrosoft Malicious Software Removal Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
  • Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.

The following diagram shows these Windows Defender ATP service components:

Windows Defender ATP service components

Endpoint investigation capabilities in this service let you drill down into security alerts and understand the scope and nature of a potential breach. You can submit files for deep analysis and receive the results without leaving the Windows Defender ATP portal.

Windows Defender ATP works with existing Windows security technologies on endpoints, such as Windows Defender, AppLocker, and Device Guard. It can also work side-by-side with third-party security solutions and antimalware products.

Windows Defender ATP leverages Microsoft technology and expertise to detect sophisticated cyber-attacks, providing:

  • Behavior-based, cloud-powered, advanced attack detection

    Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.

  • Rich timeline for forensic investigation and mitigation

    Easily investigate the scope of breach or suspected behaviors on any machine through a rich machine timeline. File, URLs, and network connection inventory across the network. Gain additional insight using deep collection and analysis (“detonation”) for any file or URLs.

  • Built in unique threat intelligence knowledge base

    Unparalleled threat optics provides actor details and intent context for every threat intel-based detection – combining first and third-party intelligence sources.

In this section

Topic Description
Minimum requirements This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware and software requirements, and deployment channels.
Data storage and privacy Learn about how Windows Defender ATP collects and handles information and where data is stored.
Assign user access to the Windows Defender ATP portal Before users can access the portal, they’ll need to be granted specific roles in Azure Active Directory.
Onboard endpoints and set up access You’ll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
Portal overview Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks.
Use the Windows Defender Advanced Threat Protection portal Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
Windows Defender Advanced Threat Protection settings Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements.
Troubleshoot Windows Defender Advanced Threat Protection This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
Review events and errors on endpoints with Event Viewer Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
Windows Defender compatibility Learn about how Windows Defender works in conjunction with Windows Defender ATP.

Windows Defender ATP helps detect sophisticated threats


Windows 10 has continuously increased its security from previous versions, recently stepping up its Windows Defender Advanced Threat Protection (ATP). With it, you can quickly detect and remediate any breaches in your security that the first line of defenses didn’t prevent.

The next large enterprise release of Windows 10 is said to be in April, including a new release of its Windows Defender ATP. This release will include many new features, such as watching for attacks by advanced malware like memory and kernel-level exploits.

Understanding Windows Defender ATP

Windows Defender Advanced Threat Protection is not the same thing as Windows Defender antivirus tools. The antivirus includes assistance with Edge’s downloader to help people avoid downloading infected files, as well as offering Office 365 spam and malware protection. ATP, instead, is focused more on post-attack.

It assists users by attempting to track the attacker directly through your network. Windows Defender Advanced Threat Protection was released to assist enterprise customers “detect, investigate, and respond to advanced and targeted attacks on their networks.”

The newest update builds on many of the pre-existing security features to specifically provide post-breach layers of protection. Attacks are getting more common and sophisticated every day, using social engineering, zero-day vulnerabilities, and more to break into corporate networks.

Because of this, security in this day and age cannot only focus on how to prevent breaches. It also must layer your response system so you will have better detection and repair features after an attack happens.

ATP isn’t focused on stopping attacks from happening. The focus of that will be placed on already provided antimalware software. ATP itself focuses on identifying the attacker, what they did, how it happened, and what could have been compromised from the attack.

This makes Microsoft’s new ATP different from many security tools, and one that’s immensely important. How can you prevent further attacks from getting through your security tools if you can’t exactly see how your security was breached?

Because of the inevitability of being attacked, ATP will hopefully prove itself to be a useful feature. Windows Defender ATP, according to Microsoft, is made up of three different parts: endpoint behavioral sensors, cloud security analytics, and threat intelligence.

Client endpoint behavioral sensor

This is automatically built into Windows 10 and logs any security events that it deems relevant, as well as endpoint behaviors. The endpoint sensors collect and process behaviors signals, such as process, registry, file, and network communications, from the operating system.

After this, they use machine learning to understand signals coming from your device and then transmit the telemetry to your private, isolated, cloud instance of Windows Defender ATP.

This is vital in determining what happened during the attack and exactly how it happened so you can prevent further access to your systems, both from the same attacker who might already be in your system and others who will infiltrate it in the same way in the future.

If ATP can understand what your computer typically looks like, it better knows if it is compromised. The newest version of Windows 10 and ATP will update these sensors to understand and detect even more attacks, such as “in-memory malware, kernel-level attacks, and cross-process code injections.”

To be clear, the sensors supposedly only develop telemetry when you believe you’ve been attacked and use Windows Defender ATP as a response to that breach. Additionally, the information is said to be anonymized when it is shared outside of Microsoft.

If you use ATP as a backup to section off infected areas of your computer, you can much more quickly and simply remove exploits before they spread further, as well as prevent that from happening again.

Additionally, using an uncompromised system in the cloud to isolate and mitigate the suspected breaches is important because attackers are much less likely to see what you do in response to the attack.

Cloud security analytics service

Microsoft combines its wide data repository with processing data from endpoints and historical data so it can better detect “anomalous behaviors, adversary techniques, and similarity to known attacks.” The service uses “a combination of Indicators of Attacks (IOAs), generic analytics and machine learning rules, as well as Indicators of Compromises (IOCs) collected from past attacks.”

ATP is added onto the cloud-based Windows Security Center, so you can manage your whole system security from one portal. You are able to help the ATP machine grow smarter by sharing your own forensic analysis, as well as see security intelligence from Microsoft.

Being able to access every machine to know exactly which computer was compromised and how in any given attack helps to lower the possibility of more negative consequences from a breach in security.

Microsoft is working toward moving more and more to the cloud, including device management. Considering the fact that many businesses are moving toward portable computers and a more remote staff, many machines are no longer located in a stable, defined area. With the move toward cloud-based management, devices can be managed whenever and wherever.

Microsoft and community intelligence

Microsoft uses its own researchers to investigate data, as well as to find new patterns of behavior to correlate given data with existing knowledge.

Helping ATP learn just through your own forensic analysis is not enough to meet the demands today of intense threat detection and prevention. The threat intelligence built into Windows Defender ATP is “generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners.”

With this, ATP is better able to understand and identify tools, techniques, and procedures used by attackers, as well as generate alerts when this suspicious activity is observed in collected telemetry.


Angela Karl

Angela Karl is a professional freelance writer specializing in technology and travel with over six years of experience in the editorial world. When she’s not writing articles, she can be found perfecting her programming language skills and seeing as much of the world as possible.

Be the first to comment

Leave a Reply