Table of contents
Collapse the table of content
Expand the table of content

Windows Defender Advanced Threat Protection

jcaparas|Last Updated: 4/13/2017
4 Contributors

Applies to:

  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows Defender Advanced Threat Protection (Windows Defender ATP)

Want to experience Windows Defender ATP? Sign up for a free trial.

For more info about Windows 10 Enterprise Edition features and functionality, see Windows 10 Enterprise edition.

Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.

Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[].

Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:

  • Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.

  • Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

  • Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.

The following diagram shows these Windows Defender ATP service components:

Windows Defender ATP service components

Endpoint investigation capabilities in this service let you drill down into security alerts and understand the scope and nature of a potential breach. You can submit files for deep analysis and receive the results without leaving the Windows Defender ATP portal.

Windows Defender ATP works with existing Windows security technologies on endpoints, such as Windows Defender, AppLocker, and Device Guard. It can also work side-by-side with third-party security solutions and antimalware products.

Windows Defender ATP leverages Microsoft technology and expertise to detect sophisticated cyber-attacks, providing:

  • Behavior-based, cloud-powered, advanced attack detection

    Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.

  • Rich timeline for forensic investigation and mitigation

    Easily investigate the scope of breach or suspected behaviors on any machine through a rich machine timeline. File, URLs, and network connection inventory across the network. Gain additional insight using deep collection and analysis (“detonation”) for any file or URLs.

  • Built in unique threat intelligence knowledge base

    Unparalleled threat optics provides actor details and intent context for every threat intel-based detection – combining first and third-party intelligence sources.

In this section

Minimum requirementsThis overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware and software requirements, and deployment channels.
Data storage and privacyLearn about how Windows Defender ATP collects and handles information and where data is stored.
Assign user access to the Windows Defender ATP portalBefore users can access the portal, they'll need to be granted specific roles in Azure Active Directory.
Onboard endpoints and set up accessYou'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
Portal overviewUnderstand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks.
Use the Windows Defender Advanced Threat Protection portalLearn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
Windows Defender Advanced Threat Protection settingsLearn about setting the time zone and configuring the suppression rules to configure the service to your requirements.
Troubleshoot Windows Defender Advanced Threat ProtectionThis topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
Review events and errors on endpoints with Event ViewerReview events and errors associated with event IDs to determine if further troubleshooting steps are required.
Windows Defender compatibilityLearn about how Windows Defender works in conjunction with Windows Defender ATP.

Windows Defender ATP helps detect sophisticated threats

© 2017 Microsoft