Definition

Microsoft Defender for Endpoint (formerly Windows Defender ATP)

By

Alexander S. Gillis, Technical Writer and Editor
Brien Posey

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint -- formerly Microsoft Defender Advanced Threat Protection or Windows Defender ATP -- is an endpoint security platform designed to help enterprise-class organizations prevent, detect and respond to security threats.

Defender for Endpoint can help an organization respond to potential threats, such as malware or ransomware, using tools built into Windows 10 and Azure services. These tools provide automated investigation, preventative and post-breach security detection and response features.

Defender for Endpoint was previously known as Microsoft Defender Advanced Threat Protection but was rebranded in 2019 along with other products under the Defender brand.

Chart of 12 cyber attacks. — Malware and ransomware are just two types of security threat.

Features and capabilities

Microsoft Defender for Endpoint offers the following security features and capabilities:

Threat and vulnerability management. A software inventory is performed on endpoints in real time. This information is used to detect, prioritize and mitigate security vulnerabilities related to installed applications and missing patches.
Attack surface reduction. The overall attack surface of a system is reduced through hardware isolation and application control. Application audit data is monitored and exclusions are added for necessary applications. Attack surface reduction rules are also employed.
Next-generation protection. Defender for Endpoint performs continuous scans to detect and block threats. This feature uses Microsoft Defender Antivirus, as well as behavior-based antivirus protection and cloud-delivered protection.
Endpoint detection and response. Defender for Endpoint groups related attacks into incidents. This type of aggregation helps security professionals prioritize, investigate and respond to threats.
Automated investigation and remediation. If left unchecked, network endpoints can generate an overwhelming number of security alerts. The Automated Investigations feature examines and resolves alerts, allowing security professionals to focus on other tasks.
Secure score. Defender for Endpoint uses a security score to rate the current security configuration. This score is based on categories including application, operating system, network, accounts and security controls.
Endpoint Attack. Previously Microsoft Threat Experts -- Targeted Attack Notification, Endpoint Attack is a managed hunting service that detects and prioritizes attacks, including keylogger or cyber attacks.
Management and APIs. A collection of APIs integrate Defender for Endpoint into an organization's workflow.
Shared data. Defender for Endpoint shares data with other Microsoft products, including Azure Active Directory Identity Protection, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps and Microsoft Defender for Identity.
Endpoint behavioral sensors. These sensors collect and process behaviors from Windows 10.
Support for platforms. Defender for Endpoint offers security services for Windows, Linux, macOS, iOS and Android operating systems.

Defender for Endpoint plans

Windows Defender for Endpoint offers two main plans -- Plan 1 (P1) and Plan 2 (P2). P1 is a base version and P2 offers everything that P1 offers but adds several features.

P1 offers the following features:

APIs, security information and event management connector.
Application control.
Controlled folder access.
Device-based conditional access.
Device control such as USB.
Endpoint firewall.
Network protection.
Next-generation antimalware.
Unified security tools with centralized management.
Web control and categorized URL blocking.

P2 includes all previously mentioned features, plus the following:

Automated investigation and remediation.
Defender Vulnerability Management capabilities.
Endpoint detection and response.
Sandbox.
Threat intelligence through analytics.

Defender for Endpoint also offers a standalone Defender for Business version. This version comes with threat and vulnerability management features, attack surface reduction, endpoint detection and response, and automated investigation and response. However, it has limited web content filtering and cross-platform support features.

Microsoft Defender for Business is available as a standalone user subscription for small and medium-sized businesses or as part of Microsoft 365 Business Premium.

Microsoft Defender for Endpoint P1 is available as a standalone subscription license for commercial and education customers. It's also included as part of certain Microsoft 365 plans.

Microsoft Defender for Endpoint P2 is also available as a standalone license or as part of certain versions of Windows 10 and 11 Enterprise and certain versions of Microsoft 365.

Microsoft offers a free trial of both P1 and P2 versions of Microsoft Defender for Endpoint.

Additional integrations

Windows Defender for Endpoint can be integrated with other Microsoft software, including the following:

Azure Information Protection.
Conditional Access.
Microsoft Intune.
Microsoft Defender for Cloud.
Microsoft Defender for Cloud Apps.
Microsoft Defender for Identity.
Microsoft Defender for Office.
Microsoft Sentinel.
Skype for Business.

Strengths and weaknesses

One of Microsoft Defender for Endpoint's biggest strengths is its feature list. It can also create a graphical attack timeline using data related to a given attack. The tool is also compatible with other operating systems, including Windows, Linux, macOS, iOS and Android.

But Microsoft's implementation of Defender for Endpoint also has some weaknesses. For example, the product automatically disables other antimalware and endpoint detection and response software present on an endpoint. This means that depending on the configuration, installing Defender for Endpoint can weaken an organization's security posture if it has previously installed security tools.

Outside of Windows environments, Defender for Endpoint can be challenging to deploy, such as on older macOS devices. Likewise, Linux systems might experience high memory usage for endpoint agents.

Cybercriminals have several ways they can spread malware. Learn how archive files using ZIP and RAR formats have become the most popular way to distribute malware to end users' machines.

This was last updated in April 2023

Continue Reading About Microsoft Defender for Endpoint (formerly Windows Defender ATP)

EDR tools for Windows Server compared

Microsoft Defender ATP taps into cloud for added protection

What are some features in Microsoft Defender ATP?

What's the deal with Microsoft Defender for Android and iOS?

Microsoft extends Defender umbrella to Google Cloud Platform

Dig Deeper on Application and platform security

Networking

Best practices for network automation with Python
Python libraries, version control, documentation and object-oriented programming provide helpful best practices for network ...
How low Earth orbit satellite networks improve internet access
Compared to traditional satellite setups, LEO satellite internet provides several benefits, such as low latency, reduced costs ...
Cisco makes big splash with Splunk
The integration of Cisco and Splunk could result in a full-stack offering that provides comprehensive visibility across ...

CIO

U.S. antitrust case against Amazon not a clear win
The FTC is looking to make an antitrust case against Amazon for using anticompetitive strategies to harm both sellers and ...
U.S. government shutdown would crush CHIPS Act momentum
A U.S. government shutdown would significantly impact implementation of the CHIPS and Science Act of 2022 as federal workers ...
6 alternatives to blockchain for businesses to consider
Technologies like cloud storage and distributed databases provide some of blockchain's data-integrity and reliability advantages ...

Enterprise Desktop

Using the Intune management extension for PowerShell scripts
Intune and PowerShell have a lot of unique management actions they can take, but with the help of the Intune management extension...
Intel promotes new computing era with AI PC
Intel says its upcoming Core Ultra will help lead personal computing to the AI PC era by making AI processing a mainstream task ...
4 ways that I use generative AI as an analyst
Many use cases for generative AI involve projecting to the future and aren't currently easy to use. However, these four use cases...

Cloud Computing

5 Azure Functions logging best practices
Implement these Azure Functions best practices to improve logging strategies, optimize application performance and ensure ...
Factor performance into an application modernization strategy
Dev teams increasingly use cloud, containers and microservices to modernize apps, but these technologies bring little value ...
What does a cloud network engineer do?
A cloud network engineer juggles a number of responsibilities -- from network design and troubleshooting to learning about ...

ComputerWeekly.com

Strasbourg court condemns Turkey for jailing teacher for using ByLock encrypted messaging app
The case is expected to have implications for the use of digital evidence in prosecutions against users of other encrypted phone ...
IoT seeks 5G Advanced possibilities with world’s first ambient IoT visibility platform
Internet of things specialist Wiliot enhances core ambient platform to include real-time humidity sensing – along with ...
US lawmakers write to AI firms about ‘gruelling’ work conditions
Lawmakers have written to nine tech companies – including Amazon, Google and Microsoft – about the working conditions of those ...

Close