Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. More about the merger.


Microsoft deal - background information

The Department of Health and Social Care has announced a new centralised Windows 10 agreement which offers local organisations Microsoft Windows operating system licences, including Windows Defender Advanced Threat Protection (WDATP).

The Department of Health and Social Care has announced a new centralised Windows 10 agreement which offers local organisations Microsoft Windows operating system licences, including Windows Defender Advanced Threat Protection (WDATP). This is free of charge to local NHS organisations who agree to implement the ATP facility.

It includes the Windows Enterprise Operating System and associated technologies:

The contract will run for five years until 2023.

The WDATP facility gives local organisations better cyber security protection in their own right. It is also linked into the NHS Digital Data Security Centre (DSC), which improves cyber security protection for local health and care communities, and the NHS as a whole.

The benefits

Local Organisations get free Microsoft Windows client software that they would otherwise need to purchase locally from revenue funding. This releases money for direct patient care.  The software includes WDATP functionality that significantly improves local cyber security for an organisation. The software also includes local device encryption (Bitlocker) as well as the Windows Defender Antivirus product. These can replace other locally purchased alternatives and save additional local cost.

Accountable Care Systems are assured that their constituent organisations are running on secure desktop platforms and get a clear view of their cyber threat status across their system from their ATP portal.

The NHS has a real time understanding of cyber threats at national level and is better able to respond to cyber threats, as they occur and to ensure that the right interventions are taken to protect the wider system.

How Windows Defender Advanced Threat Protection works

WDATP monitors the Microsoft Windows operating system on a PC or Laptop device for any abnormality in its working. If it sees an abnormality, it alerts local management and, if configured by the local organisation, it can provide response actions to prevent a malware infection spreading.

Because WDATP is provided as part of an NHS national system, the same alerts are used to give an NHS enterprise-wide view of system status, to device level, in real time – a new capability for NHS Digital. This allows NHS Digital to more quickly and effectively co-ordinate the overall NHS response to cyber threats as they evolve. It also allows local organisations to see a developing regional or national threat too.

The Windows operating system licences provided allow local organisations to use either Windows 7 SP1, Windows 8.1 and Windows 10 Build 1607 and above and deploy WDATP to both their existing estate and new devices. So organisations needn't wait until their full migration to Windows 10 is complete to benefit from WDATP.


Does an organisation have to join this service?

No. It is optional. However, central funding for Windows operating systems licenses will not be available to organisations who are not part of the service. Also, the enhanced cyber protection that WDATP enables at both local and NHS enterprise-wide level will not be available as the local organisation will not be connected.

Do organisations have to implement Windows 10 to be part of the service?

Yes. All NHS organisations joining the service must commit to migrating from their current Windows 7/8 estates to Windows 10 by no later than 14th January 2020. The Windows 7 operating system will be unsupported after that date. NHS organisations have already successfully migrated more than 100,000 NHS devices to the Windows 10 operating system, and guidance and support to help trusts with their migration will be provided as part of the service.

Has NHS local input been taken into account in developing this service?

We have worked with an advisory group of approximately 90 local organisations (trusts, CSUs, CCGs, HIS, CICs etc) to develop the service offering. More than 20 of these organisations have committed to act as early adopters for the ATP element of the service. A user group will be maintained as a focal point for ongoing development of the service during its life.

Does WDATP just cover Windows 10 or can it also be used with Windows 7 and 8?

WDATP can be used on Windows 7 SP1, Windows 8.1 and Windows 10 Build 1607 and above.

The functionality for Windows 7 devices is not as comprehensive as for Windows 10, and the ATP service continues to develop with each successive Windows 10 release.

What does WDATP do that a local anti-virus product can’t do?

WDATP knows how Windows should be working. If anything abnormal happens, it knows that something is wrong, even if it doesn’t know exactly what is wrong. Because WDATP is an integrated part of the Windows operating system it can respond immediately to address the issue before it spreads. AS WDATP is provided as part of an NHS national system, an alert of an abnormality is shared with the NHS Digital Data Security Centre in near real time. The national picture is also shared with other NHS entities (e.g. other partners within an accountable care system) so all have the visibility of a developing threat enabling them to take the appropriate response.

What intervention capability will the NHS Digital Data Security Centre have?

Local organisations continue to be responsible for managing their estate and will lead on any intervention necessary within their estate. The NHS Digital Data Security Centre team response to any threat identified within a local estate will be managed with the local organisation responsible.

Will other local organisations see detailed information about other estates?

No. Each organisation’s information is securely partitioned and the information generated by WDATP is available only to the organisation that is responsible for the devices, and the NHS Digital Data Security Centre.  All local organisations taking part in the service will be able to view the national and regional summary of threat status to inform their own local threat planning and response.

How does this new service fit with the Enterprise Threat Detection (ETD) service, currently available to NHS organisations?

ETD is an ’after the event’ expert analysis provided by Microsoft that is shared back with the NHS. The data used within ETD is sourced from the error reports generated by Windows-based devices across the world. This provides the NHS with insight and analysis to help improve our cyber protection and cyber response. ETD is built on the basis of information from a far wider pool of devices than just the NHS.

WDATP is a real time protection service that can spot and respond to issues as they arise even if they have not been seen before (’zero-day attacks’). It generates and makes available a much richer and deeper set of system-level information that can be analysed by local organisations and the NHS Digital Data Security Centre themselves.

Does WDATP share personal or patient information with NHS Digital, other NHS organisations or Microsoft?

WDATP records machine level information, but does not access patient records or documents such as Word/Excel/emails and does not record or share patient information.

Which NHS organisations can be part of this agreement?

The principle is that any organisation delivering predominantly NHS funded care can be part of the service. This includes trusts, CCGs, GPs, CSUs and ALBs. It also includes CICs and commercial providers who are providing IT services for NHS organisations.

The service does not currently extend to local authorities, care homes, community pharmacies, dentists and opticians or independent sector provider non-NHS activities.

Where can I get more information about Windows Defender Advanced Threat Protection?

Please visit

Does this deal include Office 365 for the NHS?

No, this deal if focused solely on Windows 10 licences. Individual organisations will still be responsible for the purchase of other Microsoft software licenses.

Latest news

Last edited: 31 August 2018 3:02 pm