Windows Defender Advanced Threat Protection can detect ongoing attacks on corporate networks, investigate the attack or breach, and provide response recommendations. It will be added to Windows 7 and 8.1 by this summer.
Microsoft plans to extend support for its Windows Defender ATP service to devices running older operating systems, including Windows 7.
The decision, announced this week, is a turn-about for Microsoft, which had limited the service to Windows 10 machines. In a post to a company blog, a Microsoft director cited customers’ heterogeneous set-ups to explain the change.
“We know that while in their transition, some [customers] may have a mix of Windows 10 and Windows 7 devices in their environments,” wrote Rob Lefferts of the Windows group’s security and enterprise team. “We want to help our customers achieve the best security possible on their way to Windows 10 ahead of the end of support for Windows 7 in January 2020.”
Windows Defender Advanced Threat Protection (ATP) is a service that detects ongoing attacks on corporate networks, then follows up to investigate the attack or breach, and provides response recommendations. Software baked into Windows 10 detects attacks, while a central management console allows IT administrators to monitor the status of covered devices, and react if necessary. Microsoft’s offering competes with similar services from security-first vendors like Check Point, FireEye and Fortinet. It debuted in March 2016 to an invite-only group of corporate customers, then went public in August of that year when Windows 10 version 1607, aka “Anniversary Update,” launched.
By summer, Lefferts said, ATP’s Endpoint Detection & Response (EDR) will be added to Windows 7 and Windows 8.1 so PCs running the older OSes can be monitored by the service – giving enterprise IT the same visibility into those machines as it has had into Windows 10 systems. A public preview will be available sometime in the spring.
Microsoft doesn’t sell ATP separately; it comes only as a component within the most expensive Windows 10 licenses, such as those provided by the subscription-based Windows 10 Enterprise E5 or Microsoft 365 E5. The company touts ATP as the differentiator between those SKUs (stock-selling units) and the one-tier-lower E3 bundles.
That’s what made Microsoft’s extending a hearty handshake to Windows 7 and 8.1 so striking: Microsoft has used ATP to sell enterprises on Windows 10 – the company has argued again and again that the OS is much more secure than its predecessors – and in particular to prod those customers to pony up for the priciest licensing subscriptions.
Adding Windows 7 and 8.1 to Defender ATP butted against that strategy.
John Pescatore, the director of emerging security trends at the SANS Institute, said there were two likely reasons Microsoft went against its earlier grain. The first, he said, was this year’s biggest news in security – so far – the processor vulnerabilities dubbed “Meltdown” and “Spectre” that were revealed in January.
“Meltdown and Spectre impact all [operating systems], and some people running older OSes aren’t patching them at all,” Pescatore said, ticking off instances in healthcare and manufacturing where PCs cannot be updated because the hardware they control cannot abide one or more bug fixes. “And Windows 7 has a pretty big market share,” Pescatore added.
Indeed. Together, Windows 7 and 8.1 accounted for 56% of all copies of Windows in action last month, according to analytics vendor Net Applications. Meanwhile, Windows 10, while continuing to climb, mustered 39%. Under Pescatore’s theory, Microsoft – which knew of the Meltdown/Spectre flaws in mid-2016 – pulled the ATP trigger on Windows 7 and 8.1 so that corporations would know if or when one or more of their PC majorities had been compromised.
“And you have to believe that Microsoft is protecting its brand,” Pescatore said, moving to his second premise. “Windows share is gradually shrinking among desktop operating systems,” Pescatore noted. It’s even smaller when considered as part of all OSes, including those like Android and iOS that power smartphones and tablets. “Yet, invariably breaches [originate with] a Windows computer.”
In other words, Microsoft is trying to protect its operating system’s reputation, on which so much else, from Office to Server to cloud-based services, ultimately depends, with the ATP-to-Windows-7-and-8.1 decision.
Ironically, Microsoft will put in place the Windows 7 integration – assuming it does so mid-summer – when the operating system has just 18 or so months of support remaining. That’s a blink of an eye in enterprise time. (Windows 8.1 simply doesn’t count; not only was it largely ignored by businesses, its January user share was a measly 7.6% of all Windows PCs.)
The Redmond, Wash. developer conceivably could have debuted Defender ATP with Windows 7 support at a point where the OS had 42 months of support. That Microsoft did not do so reinforces the idea that it wanted to use the service to sell Windows 10, not protect the overall Windows ecosystem.
Pescatore questioned the concept that Defender ATP motivated corporate migrations to Windows 10. “I don’t see it as a reason to upgrade [to Windows 10],” he argued. For one thing, it’s hard to find large organizations that are all-in with Microsoft. And there’s resistance on several levels to Microsoft selling security software. Corporations often purposefully layer defenses using multiple vendors, Pescatore noted – not wanting to put all eggs in a single basket – and so already have in place EDR solutions from firms such as Endgame or CrowdStrike.
There’s another reason why Microsoft-made security software fuels some pushback. “You don’t see Google, with Android, or Apple, with iOS, selling security products to protect their own stuff,” Pescatore said. “There’s always resistance to that when Microsoft does it. It’s been trying to be a major player [in security] for, what, 20 years?”
Microsoft’s Lefferts did not say whether the integration of Windows 7 and Windows 8.1 PCs with Defender ATP would come at a price, and if so, what that price would be.