Windows Defender Advanced Threat Protection Technical Concepts and Configurations

Learn about Windows Defender Advanced Threat Protection Technical Concepts and Configurations for you to get started.

Continuing with the Microsoft defender ATP blog series, now we will talk about more technical concepts, how they are implemented and some basic configurations. So let’s start.

Technical concepts:

Some technical concepts that we need in the WDATP configuration and administration:

Onboarding: 

It is performed to register a server or windows station in the Windows Defender ATP service.

Sensor communication:

Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report the sensor data and to communicate with the Microsoft Defender ATP service.

The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to allow communication with the Microsoft Defender ATP cloud service.

Exposure Score:

This score reflects the level of vulnerability of an organization to cyber-attacks. A low score is desired because it means that machines are less vulnerable.

How to set it up:

As we know, Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:

  • Windows 10 Enterprise E5
  • Windows 10 Education E5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
  • Microsoft 365 A5 (M365 A5)

Then, the first step for configuration is to validate the license.  We must log in to our Azure Portal (http://portal.azure.com), navigate to the licensing section and look for any of the licenses mentioned above.

Another method to validate the license is by going to the admin center ( https://admin.microsoft.com) and then go to billing and licenses. In this window, we can see all the provisioned licenses and their current status.

The second step is to configure our security platform (proxy or Firewall) to ensure communication between the sensor and the cloud service.

We ensure that the following URLs are not blocked and allow communication with the Microsoft Defender ATP service via port 80 and 443.

Service location Microsoft.com DNS record
Common URLs for all locations crl.microsoft.com
ctldl.windowsupdate.com
events.data.microsoft.com
notify.windows.com
settings-win.data.microsoft.com
European Union eu.vortex-win.data.microsoft.com
eu-v20.events.data.microsoft.com
usseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
wseu1northprod.blob.core.windows.net
wseu1westprod.blob.core.windows.net
United Kingdom uk.vortex-win.data.microsoft.com
uk-v20.events.data.microsoft.com
ussuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com
wsuk1southprod.blob.core.windows.net
wsuk1westprod.blob.core.windows.net
United States us.vortex-win.data.microsoft.com
ussus1eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net
ussus2eastprod.blob.core.windows.net
ussus2westprod.blob.core.windows.net
ussus3eastprod.blob.core.windows.net
ussus3westprod.blob.core.windows.net
ussus4eastprod.blob.core.windows.net
ussus4westprod.blob.core.windows.net
us-v20.events.data.microsoft.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
wsus1eastprod.blob.core.windows.net
wsus1westprod.blob.core.windows.net
wsus2eastprod.blob.core.windows.net
wsus2westprod.blob.core.windows.net

Basic configuration

Once the above-mentioned steps are complete and configured, we proceed to configure the Windows Defender Advanced Threat Protection Service for which we must log in to the security center portal here: https://securitycenter.windows.com.

For our first log in, there will be a setup wizard that will guide us for the initial configuration of the WDTAP cloud service instance.

  • The portal will validate that we are authorized to use the product. This step is to configure our permissions and will only be required if we are not currently authorized to access the product.

  • After authorization, the welcome screen provides some details about the configuration wizard.

  • The third screen will allow us to configure service preferences.

We must configure 4 parameters in this step

  • Data Storage Location

We may choose to store our information in the Microsoft Azure datacenters in the United States, European Union, or the United Kingdom. Once configured, we cannot change the location where our data is stored.

  • Data Retention Policy

By default, Microsoft Defender will store the data for a period of six months, however, we can configure this parameter for a shorter time.  We will not be able to change the time once configured.

  • Organization Size

We need to indicate the estimated numbers of employees in the company.  This parameter is not related to licenses but optimizes the services according to the size of the organization.

  • Preview Features

This setting defines if we will have access to upcoming features. Once configured, we cannot change the selection. It is recommended to enable this feature.

After configuring these 4 parameters, we receive a warning notifying that we cannot change some preferences as mentioned above.

  • Click Continue to proceed.

An instance will be created in Microsoft Security Center. It will take about 5 minutes, after that we are ready to incorporate machines in the service.

Stay tuned for the next blog post of the series!