Skip to toolbar


Office of Information Security

Defender Advanced Threat Protection (ATP)

Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprises prevent, detect, investigate, and respond to advanced threats.  Defender ATP is available for any Penn State-owned machine running a recent version of Windows, macOS or specific flavors of Linux distributions.

Once a device is added to the ATP console, data that was only available locally on the device becomes available in a centralized console. This provides security analysts with a more holistic view of the current threat landscape within Penn State-owned endpoints.



Defender ATP is typically installed by a units’ IT staff, rather than piecemeal by individuals.  Please contact your local IT staff first before using the below links.

  • Windows
    • GPO
      •   should already be linked as part of the on-boarding process but if not, the GPO name in EAD is: PSU-SECURITY-Defender-ATP
    • Local script
    • SCCM
    • SysMan (aka BigFix)
      • Windows: Configuration: Enable Microsoft Defender ATP – Windows x64 (Updated) – ID 3620715
      • macOS: Install/Upgrade: Microsoft DefenderATP 101.05.17 – macOS – ID 4024340
  • macOS
  • Linux





In order to assist the Security Operations team, please ensure that all ATO and enclave machines have an “RHS” tag applied so they can be properly monitored. Failing to do so will also negatively impact your ATO checklist items and future risk assessments to maintain your ATO.

Tags can either be applied manually from the ATP console or to the registry via GPO. Device tagging is also available in JAMF for Mac devices. If you need help with device tagging, click HERE for Microsoft’s documentation.