Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others – both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.

Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldn’t, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should – when sensitive data is being exfiltrated.

Consider the following principals when shaping your information protection strategy:

  1. Visibility – You can’t protect what you can’t see. Strive to achieve complete visibility into sensitive data across all repositories.
  2. Data-centric protection – Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.
  3. Assume breach – Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.

The endpoint is a key point of control when implementing an effective information protection strategy based on these principals. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.

Windows Defender Advanced Threat Protection (Windows Defender ATP), Microsoft’s endpoint protection platform, addresses this challenge by integrating with Azure Information Protection, Microsoft’s data classification, labeling, and protection solution. This integration empowers Windows to natively understand Azure Information Protection sensitivity labels, to provide visibility into sensitive data on endpoints, to protect sensitive data based on its content, and to detect and respond to post-breach malicious activity that involves or affects sensitive data.

Windows Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.

Discover sensitive documents on Windows devices

Windows Defender ATP’s built-in sensors discovers labeled data on all devices monitored by the Windows Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.

Figure 1. Azure Information Protection – Data discovery dashboard shows data discovered by both Windows Defender ATP and Azure Information Protection

It doesn’t end there. Being an endpoint protection suite, Windows Defender ATP monitors and calculates device machine risk level – an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that device’s record in Windows Defender ATP, where the administrator can investigate and mitigate detected security threats.

Figure 2. Azure Information Protection – Data discovery dashboard shows device risk calculation

Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Windows Defender Security Center. Windows endpoints will start discovering labeled documents immediately.

Figure 3. Windows Defender Security Center– Settings page

Figure 3. Windows Defender Security Center– Settings page

Prevent sensitive data leaks from Windows devices

Windows Defender ATP can further protect sensitive data by providing data loss prevention (DLP) functionality. Built using the combined Windows Defender ATP native OS sensors and its advanced cloud-based analytics, Windows Defender ATP can help detect and mitigate data leak risks, ranging from accidental end-user mistake to a sophisticated malicious attack.

It all starts from the Office 365 Security and Compliance Center (SCC), Microsoft’s unified management console for information protection, where you can manage information protection configuration settings on Windows devices. As part of the label policy, you can define whether files with a specific label applied will be protected by Windows Defender ATP.

Figure 4. Office Security & Compliance Center – Endpoint data loss prevention configuration page

Figure 4. Office Security & Compliance Center – Endpoint data loss prevention configuration page

Once that policy is in place, Windows Defender ATP will start protecting documents with a matching label. Protection is applied by automatically enabling Windows Information Protection, which prevents unallowed client apps, cloud apps, and network locations from accessing protected files and their content, reducing the risk of data leak.

In addition, Windows Defender ATP integrates sensitive data awareness into Windows Defender Security Center. Each incident or alert raised in Windows Defender Security Center includes a ‘data sensitivity’ attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation – from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.

Figure 5. Windows Defender Security Center – Incident queue, sorted by data sensitivity


Protecting sensitive data requires a comprehensive approach. Sensitive data stored on devices that are constantly on the move presents its own unique challenges. Windows Defender ATP and Azure Information Protection work together to effectively reduce the possibility of losing sensitive data. Together, these solutions provide discovery and protection capabilities required to govern and protect sensitive data, enforce compliance, and proactively mitigate risks.

These are just the first few steps we’ve taken to enhance the information protection capabilities. Stay tuned for more upcoming features built into Windows 10.

Start here to learn how you can leverage of this capability.

Omri Amdursky
Windows Defender ATP team

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.