receives compensation from some of the companies listed on this page. Advertising Disclosure


Microsoft Advanced Threat Protection Review

Brian Nadel

Microsoft Advanced Threat Protection EDR starts with the built-in malware protection that defends Windows 10 systems and adds extra emphasis on cloud defenses to fully protect your company from a variety of attacks. Based on machine learning, language processing, and cutting-edge technology to ferret out threats that others might miss, it stands alone. It lacks versions for platforms that others provide, but Microsoft is working on making its software more complete.

Microsoft Advanced Threat Protection

Microsoft Advanced Threat Protection

The Verdict

It may not cover Macs, iPhones, iPads and Androids, but Microsoft Advanced Threat Protection excels at protecting Windows computers at work with artificial intelligence, a heavy presence in the cloud and follow-up investigations of any infections.

View all of our endpoint detection and response software reviews on our best picks page.

Endpoint Detection and Response Features

Microsoft Advanced Threat Protection (ATP) defends a company's digital infrastructure by monitoring every aspect of the computer's operations to detect any threats, old and new. Rather than replacing the Windows Defender app ATP augments and enlarges the protection. It works against spyware, rootkits, and worms to more insidious vectors, like network weaknesses, fileless attacks, and ransomware. 

The entire malware protection can be run in an ultra-safe virtual machine so that nothing dangerous ever leaks out to damage the system. Behind the scenes, the Azure Advanced Threat Protection server combines cloud activities with artificial intelligence to discern patterns of penetration out of the background data to find threats others might miss.

In addition to using some of the techniques used by big data firms to pull valuable information out of a mass of sometimes contradictory data, ATP can find the digital needle in the haystack. While keeping unnecessary alerts to a minimum, the software can address flaws in everything from web pages and browser plugins to SQL database weaknesses that could lead to a vulnerability.

With the power to monitor all key user, device and resource activities, ATP stores all its telemetry data on an Azure server. It sifts through this data to identify suspicious and potentially dangerous activity that might compromise a company.

In fact, ATP uses the company's Advanced Malware Scan Interface (AMSI) to unpack complicated threats that might lurk in Java, VB and VBA PowerShell scripts. The software is sophisticated enough to break down the threat and disarm it. Microsoft takes this a step further with the ability to protect all user data and login credentials and monitor cloud-native apps that exist virtually.

ATP is cloud-based and communicates directly with the user computer on threats, remediation and updates. On the downside, Microsoft's defenses are based on separate apps that range from the ATP client and firewall to the network inspection system and server protection.


With a slew of add-ons, server software and options, it can be hard to parse Microsoft's pricing scheme for Advanced Threat Protection. There are licenses for the clients and server software, but Microsoft wouldn't disclose details on pricing.

While others provide short-term trials of their software that lasts for about a month, Microsoft lets you try its Endpoint protection for six months. This way, you can truly tell if it is a good fit for your company. 

Endpoint Protection

Microsoft did a lot to invent the current IT landscape in the 1980s. Now, it is working to protect it from the dangers of the web. Microsoft ATP uses a combination of traditional scanning against a database of known threats and heuristic behavioral monitoring for the early signs of a threat in conjunction with heavy-duty cloud intelligence.

It can often find a threat in the combination of two independent and safe acts, but it lacks the ability to deploy decoys to gain intelligence on new threats. The threat protection includes filtering out websites with a history of distributing malware that's built into Internet Explorer and Edge browsers; it requires an extension for Chrome.

The defenses can be upped for security-conscious firms. For instance, ATP can utilize extra security layers with trusted protection modules and two-factor authentication.

Because it comes from Microsoft, the emphasis is on Windows 10 desktops, notebooks and tablets. Windows 7 and 8.1 systems are also covered, but the former is being phased out early in 2020. The gamut of systems covered by ATP is expanding with software for Macs currently in beta and apps for Linux, iOS (iPhones and iPads) and Androids under development.


The Security Center is the center of ATP's protection, and unlike many of the other displays, it is bright and airy rather than dark. An excellent management console, it allows complete visibility of all clients that are connected and runs on the web. It can poll 1,000 systems in an instant, according to Microsoft, and gather the data on unconnected systems as soon as they log in.

Its overall security score considers all aspects of the company's systems and the current security stance. At a glance, the security center dashboard shows scores for risk, digital hygiene, threat protection and other key indicators.

At any time, the administrator can zoom in on a specific system that might be encountering a new virus or zoom out to search for a specific file of interest. New devices can be added quickly with a single email, and all device data and security details are visible to the administrator.

The ATP software continually checks for adherence to the company's security policies. Adjustments, updates and new software can be sent to single systems, any group or every computer the company owns. The Security Center is the place to view the company's computers remotely, but Microsoft lacks a mini dashboard for a phone, tablet or digital watch that would allow an administrator to see what is going on and get alerts.

Endpoint Response

If something dangerous slips through Microsoft's security nets, ATP jumps in to neutralize the threat. It can block items at the kernel level, stop a variety of attacks before any serious damage is done and can often return the system to its original state. Whenever it perceives a risk, the software sends out alerts.

ATP adds a simple timeline for investigating an attack. It shows clearly what was changed, when and how to help stop a recurrence of the threat. After an attack has been examined, the response can be automated.

When it comes to threat intelligence, Microsoft is in a league of its own. With nearly a billion Windows systems out there collecting data on the latest threats, the company has a much wider reach than other security software providers. Microsoft frequently updates its software and database of threats in response to new and evolving dangers.


Microsoft includes 24/7 support but currently lacks a threat response team to help untangle a break-in and prevent another from happening. This won't last long, because the company has a preview of its Threat Experts service, essentially a cyber SWAT team to deal with complex threats.

It takes a few minutes to install Endpoint Protection on a new machine or delete the protection for a departing employee. Everything can be downloaded and set up with minimal user intervention and delivered in a single email.

Editor's note: Looking for an endpoint detection and response solution for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.

Image Credit: Getty Images
Microsoft Advanced Threat Protection

Microsoft Advanced Threat Protection

The Verdict

It may not cover Macs, iPhones, iPads and Androids, but Microsoft Advanced Threat Protection excels at protecting Windows computers at work with artificial intelligence, a heavy presence in the cloud and follow-up investigations of any infections.

Brian Nadel Contributing Writer
Brian is a technology writer based north of New York City. He writes stories for, Tom's Guide, ComputerWorld and Scholastic Magazines. He is the former editor-in-chief of Mobile Computing & Communications magazine.