Microsoft Defender for Endpoint (formerly Windows Defender ATP)

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint -- formerly Microsoft Defender Advanced Threat Protection or Windows Defender ATP -- is an endpoint security platform designed to help enterprise-class organizations prevent, detect and respond to security threats.

Defender for Endpoint can help an organization respond to potential threats, such as malware or ransomware, using tools built into Windows 10 and Azure services. These tools provide automated investigation, preventative and post-breach security detection and response features.

Defender for Endpoint was previously known as Microsoft Defender Advanced Threat Protection but was rebranded in 2019 along with other products under the Defender brand.

Chart of 12 cyber attacks.
Malware and ransomware are just two types of security threat.

Features and capabilities

Microsoft Defender for Endpoint offers the following security features and capabilities:

  • Threat and vulnerability management. A software inventory is performed on endpoints in real time. This information is used to detect, prioritize and mitigate security vulnerabilities related to installed applications and missing patches.
  • Attack surface reduction. The overall attack surface of a system is reduced through hardware isolation and application control. Application audit data is monitored and exclusions are added for necessary applications. Attack surface reduction rules are also employed.
  • Next-generation protection. Defender for Endpoint performs continuous scans to detect and block threats. This feature uses Microsoft Defender Antivirus, as well as behavior-based antivirus protection and cloud-delivered protection.
  • Endpoint detection and response. Defender for Endpoint groups related attacks into incidents. This type of aggregation helps security professionals prioritize, investigate and respond to threats.
  • Automated investigation and remediation. If left unchecked, network endpoints can generate an overwhelming number of security alerts. The Automated Investigations feature examines and resolves alerts, allowing security professionals to focus on other tasks.
  • Secure score. Defender for Endpoint uses a security score to rate the current security configuration. This score is based on categories including application, operating system, network, accounts and security controls.
  • Endpoint Attack. Previously Microsoft Threat Experts -- Targeted Attack Notification, Endpoint Attack is a managed hunting service that detects and prioritizes attacks, including keylogger or cyber attacks.
  • Management and APIs. A collection of APIs integrate Defender for Endpoint into an organization's workflow.
  • Shared data. Defender for Endpoint shares data with other Microsoft products, including Azure Active Directory Identity Protection, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps and Microsoft Defender for Identity.
  • Endpoint behavioral sensors. These sensors collect and process behaviors from Windows 10.
  • Support for platforms. Defender for Endpoint offers security services for Windows, Linux, macOS, iOS and Android operating systems.

      Defender for Endpoint plans

      Windows Defender for Endpoint offers two main plans -- Plan 1 (P1) and Plan 2 (P2). P1 is a base version and P2 offers everything that P1 offers but adds several features.

      P1 offers the following features:

      • APIs, security information and event management connector.
      • Application control.
      • Controlled folder access.
      • Device-based conditional access.
      • Device control such as USB.
      • Endpoint firewall.
      • Network protection.
      • Next-generation antimalware.
      • Unified security tools with centralized management.
      • Web control and categorized URL blocking.

      P2 includes all previously mentioned features, plus the following:

      • Automated investigation and remediation.
      • Defender Vulnerability Management capabilities.
      • Endpoint detection and response.
      • Sandbox.
      • Threat intelligence through analytics.

      Defender for Endpoint also offers a standalone Defender for Business version. This version comes with threat and vulnerability management features, attack surface reduction, endpoint detection and response, and automated investigation and response. However, it has limited web content filtering and cross-platform support features.

      Microsoft Defender for Business is available as a standalone user subscription for small and medium-sized businesses or as part of Microsoft 365 Business Premium.

      Microsoft Defender for Endpoint P1 is available as a standalone subscription license for commercial and education customers. It's also included as part of certain Microsoft 365 plans.

      Microsoft Defender for Endpoint P2 is also available as a standalone license or as part of certain versions of Windows 10 and 11 Enterprise and certain versions of Microsoft 365.

      Microsoft offers a free trial of both P1 and P2 versions of Microsoft Defender for Endpoint.

      Additional integrations

      Windows Defender for Endpoint can be integrated with other Microsoft software, including the following:

      • Azure Information Protection.
      • Conditional Access.
      • Microsoft Intune.
      • Microsoft Defender for Cloud.
      • Microsoft Defender for Cloud Apps.
      • Microsoft Defender for Identity.
      • Microsoft Defender for Office.
      • Microsoft Sentinel.
      • Skype for Business.

      Strengths and weaknesses

      One of Microsoft Defender for Endpoint's biggest strengths is its feature list. It can also create a graphical attack timeline using data related to a given attack. The tool is also compatible with other operating systems, including Windows, Linux, macOS, iOS and Android.

      But Microsoft's implementation of Defender for Endpoint also has some weaknesses. For example, the product automatically disables other antimalware and endpoint detection and response software present on an endpoint. This means that depending on the configuration, installing Defender for Endpoint can weaken an organization's security posture if it has previously installed security tools.

      Outside of Windows environments, Defender for Endpoint can be challenging to deploy, such as on older macOS devices. Likewise, Linux systems might experience high memory usage for endpoint agents.

      Cybercriminals have several ways they can spread malware. Learn how archive files using ZIP and RAR formats have become the most popular way to distribute malware to end users' machines.

      This was last updated in April 2023

      Continue Reading About Microsoft Defender for Endpoint (formerly Windows Defender ATP)

      Dig Deeper on Application and platform security

      Enterprise Desktop
      Cloud Computing