This content is part of the Essential Guide: The complete guide to Windows 10 security tools

Essential Guide

Browse Sections

Guard the line with Windows Defender features

The Windows 10 Fall Creators Update took Windows 10 security up a notch by adding advanced features to Windows Defender, including Application Guard and Exploit Guard.

Windows Defender features more than antimalware protection. For enterprise users, it includes a host of advanced features, including Advanced Threat Protection, Exploit Guard and Application Guard.

The Windows 10 Fall Creators Update ushered in a wave of Windows Defender features that ratchet up the protection built into Windows 10. It also added data and network protection.

Each of the Windows Defender features strengthens security in a different way. Windows Defender Advanced Threat Protection (ATP) helps with threat detection and intelligence. Windows Defender Exploit Guard targets intrusion protection, and Windows Defender Application Guard helps ensure safe browsing.

Windows Defender ATP

Windows Defender ATP is an agentless, behavior-based service built into Windows 10 that detects advanced threats and enables IT to more quickly pinpoint attacks that make their way onto the network.

Are you aware of the latest Windows OS security measures?

Windows 10 combines the old and the new with security. Lock down a good grade in this quiz covering Windows security, including how to use two-factor authentication.

Sensors in Windows Defender ATP gather behavioral data from computers and other endpoints. It stores the data in a Microsoft Azure cloud and backs it with a threat intelligence team. Much like its competitors, such as McAfee Dynamic Endpoint Threat Defense and Symantec Advanced Threat Protection, Windows Defender ATP offers centralized management, with dashboards that offer easy-to-read alerts, health and status updates, end-to-end views of the deployment, and recommendations for fixing security issues.

Windows Defender interface
Windows Defender interface

Administrators can use the Windows Defender ATP portal to connect Windows 10 endpoints to the Windows Defender ATP service and to manage security. Don't confuse this portal with the Windows Defender Security Center, a Windows 10 app that gives IT access to settings for virus and threat protection, firewall, and other protection systems running on the endpoint.

Windows Defender ATP provides a detailed machine timeline that includes websites users visited and files they accessed. The timeline continuously updates for each endpoint. The information can prove highly valuable when IT investigates how a breach occurred in the first place and how to prevent more breaches in the future. Administrators can also submit suspect files to the threat intelligence team for further analysis.

Windows Defender ATP
A look at Windows Defender ATP's main portal

Windows Defender ATP works with Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education and Windows 10 Pro Education, as well as Microsoft Office, Azure and other Microsoft products.

Windows Defender Exploit Guard

Another of the Windows Defender features is Exploit Guard, which provides intrusion protection for Windows 10 by protecting apps, using rules to reduce their attack surfaces, protecting networks from malware and controlling folder access to prevent changes by malicious software. Microsoft suggests running Exploit Guard along with Windows Defender ATP, which provides detailed reports on Exploit Guard events.

IT professionals familiar with the Enhanced Mitigation Experience Toolkit (EMET) -- which is scheduled to retire on July 31, 2018 -- will notice many of the same features in Exploit Guard. To make the transition from EMET to Exploit Guard pain free, IT pros can use EMET configuration profiles in Exploit Guard after they perform a quick conversion step. They can also run Exploit Guard in audit mode to test drive this feature without affecting their production environment.

Exploit Guard
Set rules to reduce attack surface with Exploit Guard.

IT pros manage Exploit Guard settings and generate event reports through the Windows Defender Security Center app or PowerShell on individual computers. Alternatively, they can use Group Policy in a multiple computer deployment.

Windows Defender Application Guard

Windows Defender Application Guard isolates browsing sessions in Microsoft Edge and Internet Explorer from services, apps, user credentials, network connections, the Windows kernel and more. If a user encounters malware or some other malicious content while browsing websites, Application Guard prevents it from spreading to the user's PC or the company's network.

Application Guard
How Application Guard isolates Microsoft Edge

Working in whitelist fashion, an administrator first defines trusted sites and networks. Afterward, untrusted sites users visit are isolated within a virtual container, effectively protecting all computing assets.

Application Guard is geared toward enterprise desktops and mobile laptops, as well as BYOD mobile laptops.

Application Guard is geared toward enterprise desktops and mobile laptops, as well as BYOD mobile laptops. IT can use System Center Configuration Manager or Microsoft Intune to configure and manage enterprise devices and Microsoft Intune for BYOD devices.

IT pros can install Application Guard through the Control Panel, with PowerShell tools or with mobile device management, but they must decide ahead of time whether to run it in stand-alone or enterprise-managed mode. Stand-alone mode doesn't require administrator assistance, whereas enterprise mode involves creating a list of trusted domains and further customization.

Dig Deeper on Desktop management

Virtual Desktop