Microsoft brings cloud security services to better protect Windows 10

Windows 10 Advanced Threat Protection and new Microsoft 365 Business security features make it easier to detect threats ad stop cyber attacks.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Attackers regularly attempt to wiggle their way into your network and then try to cover their tracks. By the time you determine that someone has breached your network, the evidence of how they got in might have rolled off your log files. You would like to better understand how attackers can use lateral movement inside your Windows network and what resources they have accessed along the way.

For many years that question could only be answered with a lengthy investigation by a dedicated forensic team. Now, with Windows 10 and an E5 license, forensic examinations can be exposed and saved for later review. Called Windows 10 Advanced Threat Protection (ATP), this service allows anyone with an E5 license to see under the hood and review what an attacker did to a system. It relies on telemetry that is enabled when the computer is linked to the ATP service.

Windows 10 ATP requirements and setup

The system requirements are straightforward: You need a Windows E5 license either in the form of Windows 10 Enterprise E5, Windows 10 Education E5 or Microsoft 365 E5 (M365 E5), which includes Windows 10 Enterprise E5. You will need internet access, and the service will use a daily average bandwidth of 5MB to upload the daily activity to the data collection site. When you initially set up the service, you can choose the location of the storage of the data, whether in the U.S, Europe or the UK. Once you set up the data collection, you then “onboard” the computer systems by enabling the ATP functionality. While an Enterprise license is needed for licensing, ATP can be enabled on Windows 10 Pro.

You can use group policy, System Center Configuration Manager (SCCM) or Intune to manage service enrollment. You can also enroll using a script to enable a registry key. Once the machines are connected to the ATP console, you can drill down to get a better understanding of the day-to-day system operations such as browser activity, antivirus updating, and Outlook connections to RSS feeds and gain a baseline of what is going on.

atp console Microsoft

Normal computer activity of a machine as noted by ATP

Unlike some other Defender features, Windows ATP can be used with McAfee or other third-party antivirus software (check with your vendor to be certain), but you must configure Defender in passive mode. Defender signature updates must still be configured even if you use third-party antivirus.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.