Identification
ATP
To detect if Windows ATP is running on the machine:
Process
MsSense.exe
Service
Display Name: Windows Defender Advanced Threat Protection Service
Name: Sense
Registry
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
File Paths
C:\Program Files\Windows Defender Advanced Threat Protection\
ASR Rules are stored here:
Rule name | GUID | File & folder exclusions | Minimum OS supported |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Not supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Not supported | Windows 10, version 1903 (build 18362) or greater |
To check if certain rules are enabled or not:
0 = Off
1 = Block
2 = Audit
ATA
Check for ATA admins:
Last updated