Definition

Microsoft Defender for Endpoint (formerly Windows Defender ATP)

By

Alexander S. Gillis, Technical Writer and Editor
Brien Posey

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint -- formerly Microsoft Defender Advanced Threat Protection or Windows Defender ATP -- is an endpoint security platform designed to help enterprise-class organizations prevent, detect and respond to security threats.

Defender for Endpoint can help an organization respond to potential threats, such as malware or ransomware, using tools built into Windows 10 and Azure services. These tools provide automated investigation, preventative and post-breach security detection and response features.

Defender for Endpoint was previously known as Microsoft Defender Advanced Threat Protection but was rebranded in 2019 along with other products under the Defender brand.

Chart of 12 cyber attacks. — Malware and ransomware are just two types of security threat.

Features and capabilities

Microsoft Defender for Endpoint offers the following security features and capabilities:

Threat and vulnerability management. A software inventory is performed on endpoints in real time. This information is used to detect, prioritize and mitigate security vulnerabilities related to installed applications and missing patches.
Attack surface reduction. The overall attack surface of a system is reduced through hardware isolation and application control. Application audit data is monitored and exclusions are added for necessary applications. Attack surface reduction rules are also employed.
Next-generation protection. Defender for Endpoint performs continuous scans to detect and block threats. This feature uses Microsoft Defender Antivirus, as well as behavior-based antivirus protection and cloud-delivered protection.
Endpoint detection and response. Defender for Endpoint groups related attacks into incidents. This type of aggregation helps security professionals prioritize, investigate and respond to threats.
Automated investigation and remediation. If left unchecked, network endpoints can generate an overwhelming number of security alerts. The Automated Investigations feature examines and resolves alerts, allowing security professionals to focus on other tasks.
Secure score. Defender for Endpoint uses a security score to rate the current security configuration. This score is based on categories including application, operating system, network, accounts and security controls.
Endpoint Attack. Previously Microsoft Threat Experts -- Targeted Attack Notification, Endpoint Attack is a managed hunting service that detects and prioritizes attacks, including keylogger or cyber attacks.
Management and APIs. A collection of APIs integrate Defender for Endpoint into an organization's workflow.
Shared data. Defender for Endpoint shares data with other Microsoft products, including Azure Active Directory Identity Protection, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps and Microsoft Defender for Identity.
Endpoint behavioral sensors. These sensors collect and process behaviors from Windows 10.
Support for platforms. Defender for Endpoint offers security services for Windows, Linux, macOS, iOS and Android operating systems.

Defender for Endpoint plans

Windows Defender for Endpoint offers two main plans -- Plan 1 (P1) and Plan 2 (P2). P1 is a base version and P2 offers everything that P1 offers but adds several features.

P1 offers the following features:

APIs, security information and event management connector.
Application control.
Controlled folder access.
Device-based conditional access.
Device control such as USB.
Endpoint firewall.
Network protection.
Next-generation antimalware.
Unified security tools with centralized management.
Web control and categorized URL blocking.

P2 includes all previously mentioned features, plus the following:

Automated investigation and remediation.
Defender Vulnerability Management capabilities.
Endpoint detection and response.
Sandbox.
Threat intelligence through analytics.

Defender for Endpoint also offers a standalone Defender for Business version. This version comes with threat and vulnerability management features, attack surface reduction, endpoint detection and response, and automated investigation and response. However, it has limited web content filtering and cross-platform support features.

Microsoft Defender for Business is available as a standalone user subscription for small and medium-sized businesses or as part of Microsoft 365 Business Premium.

Microsoft Defender for Endpoint P1 is available as a standalone subscription license for commercial and education customers. It's also included as part of certain Microsoft 365 plans.

Microsoft Defender for Endpoint P2 is also available as a standalone license or as part of certain versions of Windows 10 and 11 Enterprise and certain versions of Microsoft 365.

Microsoft offers a free trial of both P1 and P2 versions of Microsoft Defender for Endpoint.

Additional integrations

Windows Defender for Endpoint can be integrated with other Microsoft software, including the following:

Azure Information Protection.
Conditional Access.
Microsoft Intune.
Microsoft Defender for Cloud.
Microsoft Defender for Cloud Apps.
Microsoft Defender for Identity.
Microsoft Defender for Office.
Microsoft Sentinel.
Skype for Business.

Strengths and weaknesses

One of Microsoft Defender for Endpoint's biggest strengths is its feature list. It can also create a graphical attack timeline using data related to a given attack. The tool is also compatible with other operating systems, including Windows, Linux, macOS, iOS and Android.

But Microsoft's implementation of Defender for Endpoint also has some weaknesses. For example, the product automatically disables other antimalware and endpoint detection and response software present on an endpoint. This means that depending on the configuration, installing Defender for Endpoint can weaken an organization's security posture if it has previously installed security tools.

Outside of Windows environments, Defender for Endpoint can be challenging to deploy, such as on older macOS devices. Likewise, Linux systems might experience high memory usage for endpoint agents.

Cybercriminals have several ways they can spread malware. Learn how archive files using ZIP and RAR formats have become the most popular way to distribute malware to end users' machines.

This was last updated in April 2023

Continue Reading About Microsoft Defender for Endpoint (formerly Windows Defender ATP)

EDR tools for Windows Server compared

Microsoft Defender ATP taps into cloud for added protection

What are some features in Microsoft Defender ATP?

What's the deal with Microsoft Defender for Android and iOS?

Microsoft extends Defender umbrella to Google Cloud Platform

Dig Deeper on Application and platform security

Search Networking

How AIOps enables next-generation networking
As networks grow more complex, management becomes more difficult. AIOps can help network administrators transition to and manage ...
BGP routing: A configuration and troubleshooting tutorial
BGP is the internet's core routing protocol, enabling communication between ISPs and large networks. This guide covers its ...
Cisco Live 2025 conference coverage and analysis
Cisco Live 2025 will largely focus on the need to modernize infrastructure with AI capabilities. Use this guide to follow along ...

Search CIO

Proposed U.S. budget cuts raise fears about tech innovation
President Donald Trump's proposed FY 2026 budget slashes funding for federal agencies, including NSF and NIST, which support tech...
RIT showcase offers glimpse of early tech innovation cycle
Connected vehicle security, AI and 3D printing were among the technologies featured at Imagine RIT, an annual exhibition focusing...
Contempt order worsens Apple's antitrust woes
A federal judge found Apple to be in contempt of an injunction ordering the company to make access to alternative payment options...

Search Enterprise Desktop

How to create a custom Windows 11 image with Hyper-V
When administrators can deploy Windows systems in many ways, creating a custom VM with Hyper-V enables them to efficiently deploy...
End users can code with AI, but IT must be wary
The scale and speed of generative AI coding -- known as vibe coding -- are powerful, but users might be misapplying this ...
10 troubleshooting steps for when Windows Update is frozen
When a Windows desktop is frozen and can't update, there could be many causes. The troubleshooting process can be complicated, ...

Search Cloud Computing

Get started with Amazon Q Developer
Amazon Q Developer is a versatile tool for software development, offering code generation, optimization recommendations and ...
HPE adds Morpheus Data to KVM hypervisor for enterprises
A KVM hypervisor by Hewlett-Packard Enterprise evolves with technology and capabilities from Morpheus Data, an HPE acquisition, ...
Gain insights with Enhanced Monitoring in Amazon RDS
RDS Enhanced Monitoring provides teams with additional data visibility to improve database scalability, performance, availability...

ComputerWeekly.com

Connectivity kicks in for Sunderland at the Stadium of Light
Sunderland AFC enhances high-demand density connectivity coverage, capacity and performance across stadium involving leading ...
Chinese cyber spooks lure laid-off US government workers
A Washington DC-based think tank has published evidence that Chinese intelligence services have been running a network of digital...
Trump visit bolsters Saudi AI
A new AI datacentre is among the initiatives the White House announced during the president’s Middle East visits

Close