How can I tell if my organization is licensed for Microsoft Defender ATP?
The following Microsoft Volume Licensing products support Defender ATP:
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5 (M365 E5) (this includes Windows 10 Enterprise E5)
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
The easiest way to check current licensing information is to visit the Volume Licensing Service Center online: https://www.microsoft.com/Licensing/servicecenter/default.aspx
Accessing https://securitycenter.windows.com may produce a “No subscriptions found” warning message with the following text:
“No subscriptions found. Before you can start using Microsoft Defender Advanced Threat Protection, you need to subscribe to the service. See Microsoft Defender ATP product site or contact your Microsoft account team for information.”
What operating systems are supported by Microsoft Defender ATP?
Microsoft Defender ATP supports a wide range of Windows, macOS, and Linux operating systems. Learn more about operating systems supported by Microsoft Defender ATP.
Can I run Microsoft Defender ATP with another endpoint security or antivirus program installed?
Defender ATP relies on the Microsoft Defender AV to provide metadata to the sensor and service. Defender ATP will enter “passive mode” when another AV tool is present, allowing these functions to operate normally. If your organization has fully disabled Defender via GPO or another method, you will need to re-enable Defender on machines that are scheduled for Defender ATP enrollment. For more information, see Microsoft Defender Antivirus compatibility.
How is my Microsoft Defender ATP endpoint protected from tampering or disabling?
Disabling Microsoft Defender ATP on Win10 is difficult for adversaries. Microsoft has hardened it in multiple ways so it’s highly unlikely that it could be disabled.
If you are deeply concerned about this risk, ensure that tamper protection is enabled for Windows Defender. This feature is supported in Windows 10 OS 1709, 1803, 1809, or later, together with Microsoft Defender Advanced Threat Protection E5.
Microsoft has an in-depth blog post on the various methods used to enable this technology here.
What other Microsoft solutions does Microsoft Defender ATP currently integrate with?
Microsoft Defender ATP directly integrates with various Microsoft solutions, including:
- Office 365 ATP
- Azure ATP
- Azure Security Center
- Skype for Business
- Microsoft Cloud App Security
What happens when a Microsoft Defender ATP-protected endpoint loses connectivity?
The Microsoft Defender ATP agent will cache data locally for roughly three days. If a machine has not communicated (sending via “cyber data channel” but not command and control) for over two days, the machine is considered impaired.